Instructions: clean up NTFS access rights

1. Create project and read in directories

Create new project – Read in directories and authorizations

In migRaven, one always works with projects. A project is a logical unit, which is to be processed, for example a share or a directory below a share. Best is the point which is mounted in case of users or integrated in the DFS. Thus one ensures that all authorizations – including the list authorizations – are correctly created by migRaven. Via the title “Administer projects”, you arrive at the point, where new projects can be created, processed or deleted.

The prerequisite for creating new projects is that at least the domain was scanned once.

Project Start

Best Practice: Create a new project per share.

If you define the individual shares as independent projects, then you have time to process it in peace and to copy the data into new directories “Step by Step” and to then assign these to the users.

For example Project1: “\\Server\data\management\accounting”

Project2: “\\Server\data\management\purchase”      etc.

Then enter the den UNC path till the directory (project) to be scanned. Please check once again whether this path is also attainable, above all with your login data.

Please consider: According to your Windows login, MigRaven can only scan the directories, which you may access, therefore you must execute the program always as administrator.

Scan depth and threads for scan:

These settings have significant effects on the size of the database and the speed of the scan.

Scan depth:

The scan depth should be selected only as deep as you want to select and set the authorizations in the folders. (The more deep a scan is, the longer it takes to scan and the larger becomes the database.)

Threads for scanning:

The more threads you select, the higher the process load is. Recommendation: max. 2 Threads/Core. You immediately experience while scanning whether there are too many threads. This makes the java process noticeable.

2. Revise / redefine authorizations

Via the “Work & Design”-screen, you can check, process or redefine all explicit authorizations.

Select here the directory depth relevant for you. If you want to assign only authorizations in the 3rd level, then you only need to select 3 in the field “Export till level”. Via the button “Fill table”, the data is loaded from the database.

Only change directories of this type in the list:

  • With explicit available authorizations
  • Only standard authorizations
  • Only domain accounts (Local and “Well Known” User/groups are hidden; well Known-Accounts are the standard accounts, which Microsoft always includes.)

In this table now all relevant authorizations can be defined in the respective directories.

For this enter the appropriate accounts in the column, which represents the desired right. Here two variants are selected:

  1. The groups, which are entered there, are also written directly in the ACL. This enables the reuse of already available authorization groups.
  1. Accounts and groups are entered, which then become member in an authorization group recreated by migRaven. This can be set via the group configuration

In the table you can:

  • Insert new rows, for directories, which are to be authorized, but are not yet included
  • Remove accounts from columns
  • Add new accounts/groups in columns in the format: Domain\Login name (SAM) -> -> test\f.Kafka
    (If you want to authorize several accounts/groups, then these are to be separated with a semicolon.)
  • Sort, filter columns
  • Add and delete rows

After the processing, the “Validation” takes place. Thereby the values of the table are checked for consistency. One tries to cancel the directory paths and the accounts. This happens against the real systems.

After the successful validation, the data are transferred into the database. At the same time the status of the project is upgraded in the database, and the prerequisite for this is that the next steps can be carried out.

3. Prepare new groups in migRaven

In this step the groups are formed and nested by migRaven within the database.

In addition to this, following settings must be first determined in the group configuration:

  • The type of groups
  • The naming of the groups
  • How far should the list right be set
  • The storage location of the (OU) groups

The last step does not take place in the AD and/or on the file system, which has the advantage that one can view and/or if needed overwrite the designed structure once again, before:

  • The groups of migRaven are automatically created and nested in AD and
  • The actual implementation takes place in the file system.

Hereby one complies with the group configuration (domain local or universal groups, list authorizations or not, etc.)

4. Create and nest new groups

In this step, the groups are finally created and nested in the AD.

migRaven performs thereby the following steps:

  • The groups are created LIVE in the AD,
  • The authorization groups with the list groups are nested and
  • The users/groups are included in the authorization groups.
  • The authorization-/list groups are automatically stored in an OU, which must be defined in the group configuration.

If these steps are completed, one has generated a complete group structure in the AD, which is authorized in the next step through migRaven. Please be cautious of the fact that only the number of group memberships of the users increase. Please focus particularly on the size of the Kerberos token.
Deploy Groups

5. Create Green Meadow

Create a blank, completely authorized duplicate of the directories

In order to design the complete process as easy as possible, the authorizations are not written on the original path, but migRaven creates a blank copy of the directory tree with the new authorizations.

Via the point “Deploy ACL”, a new, fully authorized, but blank duplicate of the directory tree is created. This is the new final storage location for your data.

In case of this step, only the directories, which have received explicit authorizations via migRaven, are re-created and authorized with the appropriate already available groups.


A path must be prepared, which is the new data storage location after the replication of the data. This can be a complete new share or a directory in an available share. When you set DFS, it recommends creating a new share, which must be then linked in the DFS.

Only the directories are generated in the new path, which were processed before.

If source is \\Server\share\ and is then below directories, then these are also written under the new path: \\Server_neu\Share\

For defining the new storage location, please fill in the predefined mandatory field.

Deploy ACL

There are two possible approaches for using the “Green Meadow”:

  1. The “Green Meadow” includes the old data and functions as new storage location.
  2. The “Green Meadow” serves as buffer and control storage location. After everything is controlled and found “OK, then the new ACLs are transferred to the old location.

6. Write new authorizations in the directories

In this step, the new directories are created and the rights are given to the authorization groups created before.

Following steps are processed:

  • The directories are created, for which authorizations are provided.
  • Directories, for which list rights are provided, are assigned to the list groups with list rights only for this folder.
  • Underlying directories that are transitional are created according to our configuration with authorization groups. The groups have been created for the authorization end point, but receive here only list right.
  • In case of authorized directories, several authorization groups can be entered, one with read-execute-rights, one with read-write-rights and one with modify-rights. Authorization groups with full control rights should have exceptions.
  • These rights are transmitted to the secondary directories.
  • Secondary directories can get further authorization groups.


7. Result control

Control whether the newly generated authorization in the green meadow corresponds with the expectations

After successfully generating the “Green Meadow” through migRaven, the result should be verified. This is easily possible when one generates a new project with the newly created directory tree.

Grüne Wiese

In the “View”-area of migRaven, the result can then be regarded.

8. Replicate old data in the new directory tree

If the “Green Meadow” should include your data and function as new share, then the data must be now replicated in the new area. This cannot take place directly via migRaven.

Please control all newly generated authorizations, whether they correspond with your expectations. Only after that the replication of the data should be initiated. It is thereby important, that the old authorizations are not taken along!

The replication can take place through various channels. Robocopy of Microsoft is offered with less amounts of data. If the directory tree includes lot of data, then we have had very good experience with Peer Sync. That is a tool that enables a clear real time byte-level replication without the fact that source and target have to be always compared again. A further advantage of Peer Sync is the support for NetApp.

The command with Robocopy is:
Robocopy [Source] [Target] /E /Copy:DAT

If the “Green Meadow” should not become the new storage location, then the new ACLs can be transferred to the old area.

9. Exchange shares for user access

Translate »