I have a non-domain joined Windows file server that relies on local users for NTFS permissions, and I'm setting up a new file server, which is also not domain-joined. My plan is to detach the data VMDK from the old server and attach it to the new one. However, I'm concerned about the fact that NTFS permissions are linked to local user SIDs, and simply recreating users won't maintain their access rights. What's the best way to migrate or preserve local user accounts and their SIDs so that the NTFS permissions remain intact after I attach the disk to the new server? I'm looking for best practices or supported methods, whether that's through PowerShell, registry hive migration, or other tools.
3 Answers
Honestly, if you're not joining a domain, I'm kind of curious why you feel the need to replace the file server at all! The best practice shared earlier about using a domain really rings true, so I wouldn't rush into replacing things unless absolutely necessary.
You really want to focus on using groups for folder access in the future. Unfortunately, you can't retain the user SIDs from the old server since each Windows machine generates unique SIDs for its objects. Check out the setacl utility; it can help you update the ACLs on your file structure. Just remember, my experience is mainly in a domain setup, so I might not have the full picture for your situation!
The best practice here is to use a domain to manage access control lists (ACLs), but since you’re not doing that, you’ll need to approach it differently. Using PowerShell is vital; you can use `get-acl` and `set-acl` to map the old SIDs to the new ones. If you have inheritance set up, copying files over and letting the parent folder's ACL apply to the child directories might work too. Just be careful about mismatched access!
Actually, default local objects do have consistent SIDs across installations, which can be useful to remember!