Friday, September 7, 2018

Migrating Windows Fileservers: Preserving NTFS and Domain Controller Permissions

A client was running a Windows 2008 fileserver. Share folders have been created and used for years, and permissions were set per group or per user over the many folders, linked to Active Directory domain controller.

For this particular case, the shares were on a dedicated drive that is a storage mapped volume. Reassigning the volume from the old server to a new one is quite easy, but the tricky part was preserving the share settings and the NTFS permissions along with the active directory domain controller security permissions.

After much digging around, the solution was a builtin command line that can backup the permissions, and exporting a registry key to backup the configurations of the shares and their paths. Make sure you test this on a test machine first before applying to production! This will save both local users and domain controller security permissions.

Pay attention to back slashes (\) as it makes a difference to the tool.

Step 0: Backup and Restore Shares and their Permissions


  • Run regedit with administrator permission: search for regedit then right click and choose "Run as Administrator"
  • Go to this location:  HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
    Note: HKLM = HKey_Local_Machine
  • Right click the Shares registry key and export. The key that looks like a folder in the left pane, not the content inside on the right pane.
To restore the shares and their permissions, double click the saved exported file.

Step 1: Backup and Restore NTFS and Active Directory Security Permissions

  • Open the command prompt (cmd.exe) with administrator permission.
  • To backup: icacls "path to folder" /save ntfsperms.txt /t /c 2> errors.txt
    Example: icacls d:\data /save ntfsperms.txt /t /c 2> errors.txt
    /t for recursion to include subfolders of the main one.
    /c to continue even when errors occur, but they'll printed and written to the errors text file.

    Note: If you put multiple folders directly on the root of the drive, the command should look like this: icacls d:\* /save ntfsperms.txt /t /c 2> errors.txt
To restore: icacls d:\ /restore ntfsperms.txt

Yes, there's a difference in the way you restore the permissions and the path. Even if you had backed up d:\data, you restore to the root directory/folder d:\. That's how the tool works.

Keep in mind that the text file you'll save the permissions to will exist in the same place where it's showing the command prompt. If you run the cmd as Admin, you'll be in C:\Windows\System32 by default.