Modifying subinacl exports with a bash script

We are currently in the process of migrating our users from one Active Directory domain to another.

The users already exist in the target domain so we were looking to mass change our NTFS permissions to include the user from the new domain whilst also retaining the permissions from the old domain.

A tool that Microsoft supplies looked ideal for the task – subinacl – apart from in one respect – the tool was deigned to replace permissions instead of adding to them. The way we got round this problem was to edit the export from subinacl and add in the new permissions that we wanted and then to run the export file against the NTFS volume.

So this was a 4 step process.

First, run the subinacl command against the NTFS volume to create an export file with all of the existing permissions –

subinacl /noverbose /nostatistic /outputlog=rights.log /subdirectories "r:" /display=dacl

Then create a lookup file to map the old_domain\old_user to the new_domain\new_user –

old_domain\domain users:new_domain\new domain users
old_domain\domain admins:new_domain\new domain admins

Next, create the bash script. Some of this will be specific to our requirements but should get you started if you need to do the same thing –

#!/bin/bash
# Set file locations
ifile="./s.txt"
lookup="./lookup.txt"
# Read in the old and new usernames and assign them to an array
# Use "read -r" to preserve the backslashes in the string
lookindex=0
while read -r line_a ; do
olduser[$lookindex]="${line_a%:*}"
newuser[$lookindex]="${line_a#*:}"
lookindex=$[$lookindex+1]
done <$lookup
# Read in the subinacl output file
while read -r line ; do
# Strip off the first 3 characters of the line to use to determine the line type
first3char=${line:0:3}
length=${#line}
# If the line starts "===" just echo it back out
if [ "$first3char" = "===" ]
then
echo $line
fi

# If the line starts "+Fi" just echo it back out
if [ "$first3char" = "+Fi" ]
then
echo $line
fi

# If the line start "/pe" then double the last character then echo the line reaplcing the last char with the new figure
if [ "$first3char" = "/pe" ]
then
count=$((${line:$length-1:1}*2))
echo "${line:0: $length-1}$count"
fi

# If the line starts "/pa" then
# echo it back out
# then strip out the username
if [ "$first3char" = "/pa" ]
then
echo $line

stripfront=${line#/*=}
backtext=${line#/*  }

user=${stripfront%Type**}
# This just strips off the trailing whitespaces in the variable $user
read -r user <<< "$user"
# parse through every line in the lookup file and if the username equals old username
# then set nuser to the new username
index=0
while [ $index -lt $lookindex ]
do
if [ "$user" = "${olduser[$index]}" ]
then
nuser=${newuser[$index]}
echo "/pace ="$nuser"  "$backtext
fi
index=$(($index+1))
done
fi

# If the input line is empty then echo out a blank line
if [ "$first3char" = "" ]
then
echo
fi

done < $ifile

Then you just need to play the rights file against your NTFS volume.

subinacl /nostatistic /playfile rights.log

Warning: Obviously, make sure you know what you’re about to do when performing any kind of mass update