Windows 2003 IIS FTP Server Migration w/ User Accounts
Solution 1
There is no "easy" solution to this problem - ACLs for local accounts are lost when moved to a new server because the SID associated with that user doesn't map to a valid user account any longer.
There is a way to do it though without having to wipe out your system. I'm going to walk through what I think is the easiest way, using Powershell (with WMI), icacls and some text editing.
- Create all of the new users on the new server
-
On both the old server and the new server, get a listing of all the username to SID mappings. To do this, open up Powershell and run the command (on each server):
get-wmiobject win32_useraccount | where { $_.localaccount } | export-csv serverusers.csv
You've got some manual work to do now - you need to take both of the spreadsheets and map the SIDS from the old server users to the new ones. Create this in a new CSV (
c:\sids.csv
) with a format this is something like:oldusername,newusername,oldsid,newsid
-
On the old server, save the ACLs for the files you care about using icacls. For example, if your files are in a folder called
c:\ftproot\
you would go into that folder and do:icacls * /save c:\acls.bak /T
-
Now you need to do a search and replace on the acls.bak file - for every row in your CSV, find all instances of oldsid and replace it with newsid. Here is a powershell script to do that:
$file = get-content C:\acls.bak -encoding unicode
$csv = import-csv c:\sids.csv
foreach ($row in $csv) {
$file = $file -replace $row.oldsid,$row.newsid
}
set-content c:\acls2.bak $file -encoding unicode Copy all of the files to the new server
-
Restore the ACLs on the files in the new server (again, assuming this is under c:\ftproot):
icacls . /restore c:\acls2.bak /T
And that should do it - the files should now have the permissions set using the new local user accounts.
Solution 2
The easiest way is to use IIS Sites Transfer software or IIS Easy Migration Tool from http://www.hoststools.com There are free versions. These tools help to migrate FTP sites, FTP accounts as long as ACL permissions.
Related videos on Youtube
Brad
Updated on September 17, 2022Comments
-
Brad over 1 year
I'm trying to figure out the best way to migrate an FTP server from old hardware to new hardware. The server is on a domain, but not all the users setup on the server (to use FTP) are domain accounts, some are local to the server.
For example, I have users both ways:
domain\username machinename\username
The new machine name will be different.
So I need to copy all the files with permissions in tact from the old server to the new server. Then I need to convert all the user accounts from the old server to the new server. Then I need to change the file permissions so that they are no longer oldserver\username but newserver\username.
Can this be accomplished all with CALCS? Is there an easy way that perhaps I'm missing?
-
Brad about 14 yearsI wish this was an option, but it's not.
-
Brad about 14 yearsOne more question, that CSV file, can it just have both sids listed in two columns? Are those just column names used for the PowerShell CSV object?
-
MattB about 14 years@Brad: The CSV really only needs the old sid and new sid. For it to work properly in Powershell, the first row of the CSV has to be a "header" row with the column names, so something like
oldsid,newsid
and then you can use$row.oldsid
and$row.newsid
when you loop through. -
Brad about 14 years@MattB: I've ran into another issue. The ACL file dumped by ICACLS seems to be formatted differently. After I run my PowerShell command and replace the SIDs the file size is half as big. I downloaded WinMerge to compare the two, and the originaly dump has a (00) code after every character. Will this matter when restoring the permissions?
-
Brad about 14 years@MattB: Nevermind, I think I've figured it out. set-content c:\acls2.bak $file needs to be appended with -encoding unicode
-
MattB about 14 years@Brad: sorry, my test script had that - not sure how I missed it in the copy/paste.
-
Brad about 11 yearsI didn't care for this tool, especially the Gather function which tries to pull in all the domain groups/users instead of just those that exist on the local machine.