Migrating Novell Rights (trustees) to Microsoft Rights (acl)

I’m in the middle of a big migration project from Novell to Microsoft.
When it comes to transferring the security rights from then Novell File system, trustees, to the Microsoft File system, I decided to NOT use a Quest tool, but rather some freely available tools, and some smarts.
The first thing I did was to copy all the data from the Netware server to the Windows server. I won’t go into the details in this entry, but I’ll tell you I used “beyond compare” which has saved me many times…

The process goes like this:
1. Backup the Novell rights to a file.
2. Translate the rights into Microsoft ‘speak’
3. Apply the rights using a batch file.

So here we go….
1. I used the TRUSTEE.NLM tool (free from novell) to backup the rights. At the novell server, I typed the following:
TRUSTEE /ET /D SAVE VOL1: sys:\vol1-trustee.csv
This backed up all rights on volume vol1: to a file called vol1-trustee.csv, saved to the root of the sys volume.
The /ET switch backs up only trustee entries only, not ownership.
The /D switch backs up only directories, not files.

The output file looks like this (i’ll show only 2 lines)
“TRUSTEE”,”vol1:\GROUPS\500STAFF”,”LONG”,”500STAFF.Staff.SXYZ”,”RWCEMF”
“TRUSTEE”,”vol1:\GROUPS\500STAFF”,”LONG”,”600STAFF.Staff.SXYZ”,”RF”

2. To translate the rights I used Excel and notepad. I’ll show you the end result, then explain it.
SetACL.exe -on “E:\GROUPS\500STAFF” -ot file -actn ace -ace “n:swtc\500STAFF;p:change” -log “c:\temp\log.txt”
SetACL.exe -on “E:\GROUPS\500STAFF” -ot file -actn ace -ace “n:swtc\600STAFF;p:read”

Let’s look at one line of each. I color coded the stuff that’s the same in red, and the stuff to translate in blue.
“TRUSTEE”,”vol1:\GROUPS\500STAFF“,”LONG“,”500STAFF.Staff.SXYZ”,”RWCEMF
SetACL.exe -on E:\GROUPS\500STAFF-ot file -actn ace -ace “n:swtc\500STAFF;p:change” -log “c:\temp\log.txt”

So from here
I replaced “TRUSTEE” with SetACL.exe -on
replace vol1: with E:
replace LONG with -ot file -actn ace -ace “n:swtc\
replace RWCEMF with ;p:change -log c:\temp\log.txt”
In places where there was only RF rights, I replaced them with ;p:read -log c:\temp\log.txt

I had to do some cleanup too, like removing the context of the group or user, in the example above, I replaced .Staff.SXYZ with nothing.

Then I saved it as csv file, used notepad to remove and unnecessary commas, and ran the batch file.
I used the SetACL.exe utility found here: setacl.sourceforge.net
This worked great!!!

For home folders, I did the same thing, and then i modified the batch file by replacing the -ot file -actn ace -ace to -ot file -actn setowner -ownr , this sets the owner of the home folder to the owner of the user. This allows me to turn on user quota’s if i want and get an accurate reporting.

When i am ready to perform the cutover, I rem out the Novell Login script, and turn ON the Microsoft logon script.

Advertisements