Migrating Novell Rights (trustees) to Microsoft Rights (acl)

I’m in the middle of a big migration project from Novell to Microsoft.
When it comes to transferring the security rights from then Novell File system, trustees, to the Microsoft File system, I decided to NOT use a Quest tool, but rather some freely available tools, and some smarts.
The first thing I did was to copy all the data from the Netware server to the Windows server. I won’t go into the details in this entry, but I’ll tell you I used “beyond compare” which has saved me many times…

The process goes like this:
1. Backup the Novell rights to a file.
2. Translate the rights into Microsoft ‘speak’
3. Apply the rights using a batch file.

So here we go….
1. I used the TRUSTEE.NLM tool (free from novell) to backup the rights. At the novell server, I typed the following:
TRUSTEE /ET /D SAVE VOL1: sys:\vol1-trustee.csv
This backed up all rights on volume vol1: to a file called vol1-trustee.csv, saved to the root of the sys volume.
The /ET switch backs up only trustee entries only, not ownership.
The /D switch backs up only directories, not files.

The output file looks like this (i’ll show only 2 lines)
“TRUSTEE”,”vol1:\GROUPS\500STAFF”,”LONG”,”500STAFF.Staff.SXYZ”,”RWCEMF”
“TRUSTEE”,”vol1:\GROUPS\500STAFF”,”LONG”,”600STAFF.Staff.SXYZ”,”RF”

2. To translate the rights I used Excel and notepad. I’ll show you the end result, then explain it.
SetACL.exe -on “E:\GROUPS\500STAFF” -ot file -actn ace -ace “n:swtc\500STAFF;p:change” -log “c:\temp\log.txt”
SetACL.exe -on “E:\GROUPS\500STAFF” -ot file -actn ace -ace “n:swtc\600STAFF;p:read”

Let’s look at one line of each. I color coded the stuff that’s the same in red, and the stuff to translate in blue.
“TRUSTEE”,”vol1:\GROUPS\500STAFF“,”LONG“,”500STAFF.Staff.SXYZ”,”RWCEMF
SetACL.exe -on E:\GROUPS\500STAFF-ot file -actn ace -ace “n:swtc\500STAFF;p:change” -log “c:\temp\log.txt”

So from here
I replaced “TRUSTEE” with SetACL.exe -on
replace vol1: with E:
replace LONG with -ot file -actn ace -ace “n:swtc\
replace RWCEMF with ;p:change -log c:\temp\log.txt”
In places where there was only RF rights, I replaced them with ;p:read -log c:\temp\log.txt

I had to do some cleanup too, like removing the context of the group or user, in the example above, I replaced .Staff.SXYZ with nothing.

Then I saved it as csv file, used notepad to remove and unnecessary commas, and ran the batch file.
I used the SetACL.exe utility found here: setacl.sourceforge.net
This worked great!!!

For home folders, I did the same thing, and then i modified the batch file by replacing the -ot file -actn ace -ace to -ot file -actn setowner -ownr , this sets the owner of the home folder to the owner of the user. This allows me to turn on user quota’s if i want and get an accurate reporting.

When i am ready to perform the cutover, I rem out the Novell Login script, and turn ON the Microsoft logon script.

Advertisements

About Mike

owner of blog
This entry was posted in Migration. Bookmark the permalink.

4 Responses to Migrating Novell Rights (trustees) to Microsoft Rights (acl)

  1. Liza says:

    Mike, great information. You mention some freely available tools in this post. Can you share what tools you used to assist with this migration? Thanks.

  2. Liza says:

    Yes, we are actually planning the migration now for several hundred systems. I am very interested in your project plan. Can you email it to me? Thanks.

  3. John says:

    Mike, very interesting take on the migration. I would love to check out your project plan too. Could you email me a copy also? I’m just getting involved into a migration that is about half-way done.

  4. Dennis says:

    Hi Mike,

    your post looks like the perfect starting point for our own migration.
    Thank you for this.
    Would you be so kind to provide me your project plan by email as well? This would really help me out even more.
    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s