Ntfs permissions on forest trusted share

Similar Messages

• VMM Error while seting NTFS permissions on a SOFS Share

  Hello,
  I get the errors 2912 and 26272 while registering a file share created by VMM on a sofs 2 node cluster.
  Share Permissions are set correctly by VMM, but for VMM it is obviously not possible to set ntfs permission.
  I run SCVMM 2012 R2 UR3 on a 2012 R2 Server. The sofs cluster is running on 2 2012R2 Servers. The Hyper V Servers are one Hyper-V Server 2012 (the free one) and I get the same errors on a Hyper-V Server 2012 R2 (the free one) 2 node Cluster.
  Both Cluster (SOFS and Hyper-V) were created manually with the Failover Cluster Manager.
  Hope someone can give me a hint
  where the problem is coming from.
  Thanks in advance
  Sebastian
  Error (2912)
  An internal error has occurred trying to contact the hafs01.lab.internal server: :w:InternalError: :Windows System Error 1332:Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgeführt. .
  WinRM: URL: [http://hafs01.lab.internal:5985], Verb: [INVOKE], Method: [GrantAccess], Resource: [http://schemas.microsoft.com/wbem/wsman/1/wmi/root/microsoft/windows/smb/MSFT_SmbShare?Name=CSV02+ScopeName=SOFS01]
  No mapping between account names and security IDs was done (0x80070534)
  Recommended Action
  Check that WS-Management service is installed and running on server hafs01.lab.internal. For more information use the command "winrm helpmsg hresult". If hafs01.lab.internal is a host/library/update server or a PXE server role then ensure that VMM
  agent is installed and running. Refer to http://support.microsoft.com/kb/2742275 for more details.
  Error (26272)
  Failed to grant permissions for share \\sofs01.lab.internal\CSV02 on file server sofs01.lab.internal due to errors during the operation.
  Recommended Action
  Manually grant permissions on \\sofs01.lab.internal\CSV02.

  Hello Sebastian,
  did you ever get a solution for this?
  I experience the same problem from our clustered VMM to our SOFS clusters.
  Regards,
  Peter
  Peter

• Unable to set NTFS permissions on share using PowerShell. The user shows up with no rights checked off.

  I am having a little problem here with setting NTFS permissions via PowerShell. 
  Basically I am able to make a new directory on the share, and assign a user NTFS permissions however it just assigns the select user without any permissions set.
  $username = "test.user"
  $directory = "\\testlab-sv01\Share\newfolder"
  New-Item -Path $directory -ItemType Directory
  $colRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
  $objType =[System.Security.AccessControl.AccessControlType]::Allow
  $objUser = New-Object System.Security.Principal.NTAccount("$username")
  $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
  $objACL = Get-ACL $directory
  $objACL.AddAccessRule($objACE)
  Set-ACL $directory $objACL
  A side question, why isn't this native in Powershell? Is it for security reasons? I expected there to be a cmdlet for it. 
  Thanks. 
  Kyle

  When you say there are no permissions, do mean that the ACL Editor is showing 'Special permissions' and none of the other boxes are checked?
  Try changing the inheritance and propagation flags to this:
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit, ObjectInherit"
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
  That sets the ACE to apply to the folder (InheritOnly propagation flag isn't set) , subfolders (ContainerInherit inheritance flag is set), and files (ObjectInherit inheritance flag is set), which is necessary for the ACE to not be considered 'special' in
  the ACL Editor.
  Awesome. Thanks. That did work. 
  And yes I did mean that it was showing special permissions with nothing checked. 
  Kyle

• What share and NTFS permissions must I give users to deploy software through SCCM?

  What share and NTFS permissions must I give users to deploy software through SCCM? I have one folder with all of the applications and would like to know.
  Thanks
  James A+, Network+, MCP

  That still doesn't help. We're not prying, we're trying to help but we honestly have no idea what you are talking about. The more and better details that you can provide, the better we can help.
  "Because I want to know" adds no value and does not help us help you. We need technical details -- we can't see what you are seeing and we can't read your mind.
  And, you didn't really answer any of my questions.
  I'll take another wild-guess though: If you are talking about the source file locations referenced within packages and applications, users do not access those. The computer account for the systems hosting the SMS Provider needs read access to the location(s)
  specified. Yes, this means both NTFS and share permissions assuming they are being referenced via a UNC.
  Finally, there is no service account. If you've changed the account that the SMS_EXECUTIVE is running under, you're are now in a completely unsupported state that will have many issues. If instead you are talking about the Network Access Account, that is
  *not* a service account and is *not* used to access content source files.
  Once again though, we're simply guessing because no one has any idea what you're doing. Please provide actual, technical details.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Export a list Shares & NTFS permissions

  I would like a script or tool which can create a list of server shares, along with the relevant NTFS permissions on the directory structure and exports to either a .txt or .csv. Full group and member names would be nice.
  Any ideas? Thanks.

  Hi,
  http://support.microsoft.com/kb/125996?wa=wsignin1.0
  You could export the Shares with the Share Permissions via registry.
  If thats not enough here is a PS Script http://gallery.technet.microsoft.com/scriptcenter/List-Share-Permissions-83f8c419
  what´s the goal you like to reach?
  kind regards,
  Philipp Halbedel
  MCP 2003,MCITP EA Server 2008,MCITP EA Windows 7,MCSA2008,MCSA2012 
  Meine Antwort war hilfreich? ich freu mich über eine Bewertung. If my answer was helpful, I'm glad about a rating! 
  I do not represent the organisation I work for, all the opinions expressed here are my own.

• Forest Trust Issues (Group Membership Issues)

  OK - this is going to be long. I hope I am detailed enough.
  Four domains, each in their own forests:
  domain.w.com
  domain.x.com
  domain.y.com
  domain.z.com
  For the sake of everyone, I'll refer to each domain as "w" or "x", which would be domain.w.com and domain.x.com, respectively.
  Domains x, y, and z all have users that require access to resources on domain
  w. Remember - each domain is in its own forest.
  Three trusts were created on domain w. Since the users on domain w do not need any resources on the other domains, three "ONE-WAY:OUTGOING" trusts were created (one for each) via Active Directory Domains and
  Trusts on domain w. The option to create the trust (have it show up in Active Directory Domains and Trusts) in the other domains (in this case
  x, y, and z) was selected.
  After the trusts were created from domain w, the trusts were verified. Administrators on domain
  w could "verify" the trusts (using admin accounts created for them on the three trusted domains).
  Since everything looked good (domain w shows up as an incoming trust for the other three domains), permissions for specific users on domains
  x, y, and z were granted for a share in domain
  w.
  Only... that didn't happen. When attempting to change permissions on the share, administrators were able to change the working domain directory to either
  x, y, or z... but searching returned zero results. Zilch.
  *It should be noted that this scenario has been in place for quite some time now, and that all groups/users previously defined on the share (that belong to the three domains trusted by domain
  w) now all show up as SIDs.
  When attempting to verify (validate) the incoming trust on any of the three domains, the error "Windows cannot find an Active Directory Domain Controller for the domain.w.com domain. Verify that an AD DC is available and then try again."
  is returned.
  Pinging domain.w.com returns the correct address. Direct pings to both domain controllers on domain w
  is also working. Domain w can also do the same pings that I just listed to all three other domains with correct results.
  There is no firewall in between these forests.
  I am leaning towards a DNS or AD issue on the domain w side. This all occurred at once on the same day last week, and no changes were made on
  x, y, or z. Of course... domain
  w is another entity and they are saying they have no clue why its not working.
  Questions:
  Should I be able to verify the trust from x, y, or
  z to domain w?
  Why cant domain w see the users/groups in the other domains?
  Why does domain w validate the trust if the other three domains cant?
  Could this be caused by some setting in GPO having to do with LDAP security, signing requirements, or authentication settings?
  Any help is much appreciated.
  Chris

  Yes, this is related to DNS, from what you describe.
  The simplest way to configure this is to go to EACH dns server on both sides of the trust and configure it for a conditional forwarder of the others dns zone. 
  http://www.techrepublic.com/blog/windows-and-office/configuring-dns-forwarders-to-support-windows-server-2003-forest-trusts/501/
  Unless you have a root dns server for all four zones already.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Unexpected NTFS permissions behavior

  I am administering a home server running Windows 2008 R2 (accessed by several Windows 8.1 clients) and have run into an NTFS permissions issue I do not understand.
  On this server there is a S drive that contains all the online storage for our network.
  The structure of the S drive looks like this:
  Files
    Public
      VariousPublicFolders
    Private
      Person1
        Person1sStuff
      Person2
        Person1sStuff
  Temp
  Before any security modifications were made, the root of the S drive had the following permissions:
  SYSTEM : Full Control
  Administrators : Full Control
  Users : Read and Execute
  Also, all the above folders on this drive are owned by the Administrators group.
  Then I started changing permissions in order to satisfy my security requirements.
  For example, I disinherited permissions on Temp and allowed "Everyone" Full Control there.
  That works fine.
  What doesn't work fine is the permissions I am trying to set on the personal folders under the Private tree.
  I want to make sure no one else (other than administrators) has access to anyone's personal data  (the data in the Person1, Person2, etc folders).
  So I disinherted permissions on each of those folders and then explicity set the following:
  SYSTEM : Full Control
  Administrators : Full Control
  PersonX : Full Control
  This, I thought should work beautifully.
  I thought it should give each person full control of what happens in their personal folder, and also allow administrators and the system to get in there.
  But it is giving people in the Administrators group problems.
  I have a user called Custodian which is part of the Administrators group, and I use this user to do administrative tasks.
  As Custodian, when I try to access someone's personal folder in Explorer I am greeted with a message that says "You don't currently have permission to access this folder."
  Whaaaaat?
  I am offered "Click continue to permanently get access to this folder."
  If I say YES then Custodian is explicitly added to the folder ACL, and I can proceed to access the files there.
  But I don't want this.
  Custodian is already an Administrator, and Administrators already have full control of the folder.  Why should I even be prompted, and even worse, have my user unnecessarily added to the ACL?
  This is bad bad bad.
  I think what is going on is that UAC is coming into play.  I read somewhere that Administrators normally do not use their administrative token until they hit something that requires it, then UAC kicks in and asks to elevate them.  This would be
  fine if it happened.  I guess I wouldn't mind having to click OK to enter a folder that requires admin access.  But this is not what is happening.  I am just blanket denied until I explicitly add the Custodian account to the ACL.
  Can someone explain why an admin user is denied access to a folder having full control given to admins?  What is going on here?
  Can someone suggest a way to rig permissions so that my admin user doesn't have to be added explicity?
  I just want to be able to browse and alter the entire drive with ANY administrative user without being bothered to alter permissions.  I don't even mind being prompted for elevation, although honestly I'd prefer not to have that happen either.

  Thank you, Milos, for taking the time to look at this.
  RE: Making the post shorter, I'm not sure I could.  It's not an easy problem to state, and I tried to do so in as few words as possible, any less and I would be leaving out critical info.
  Here are your questions, answered.
  (2) Yes, I am using a workgroup.
  (3) An example calcs output
  S:\Files\Private\Scott DATABANK\Scott:(OI)(CI)F
                         BUILTIN\Administrators:(OI)(CI)F
                         NT AUTHORITY\SYSTEM:(OI)(CI)F
  (4) The share permissions are full, yes, but this is immaterial.  I suffer the problem accessing the files locally/directly on the server.  I probably shouldn't have mentioned anything about the share.  It's just that the problem came to light
  while I WAS accessing the files through the share, but then I tried locally and still had the problem.
  I am unsure of what you mean in (5) (6) (7).  Could you elaborate?

• Exchange mailboxes, corporate AD, forest trust, arrays, Can you look this over?

  This is my first script, it took a while to figure some things out, but it is working. I wanted to know if it is overkill, or if there is something that sticks out that would be an easier way of accomplishing something with this script.
  Background info:
  Company was bought out, forest trust set up between corp network and ours (years ago). So what we wanted was to compare exchange mailboxes with linked mailboxes array, to be compared to corporate AD array with user accounts that are disabled. a list is created
  in another script which shows linked mailboxes and disabled corp AD accounts, helpdesk looks these through to make sure there are no exceptions. Exceptions are entered into PS cmdline, those are pulled out of the array. Then the left objects in the array are
  PST backed up to network share, and then mailboxes removed. Admin trust across corp allows Exchange admin to search through Corp AD through search-AdAccount cmdlet. The script is run from a VM with exchange server tools installed and running 32-bit os of Windows
  7 and 32-bit Office (Because that's how great... Exchange 2007 is for exporting mailboxes to PST). 
  Not sure of this, though it works: 
  <#Clear variables so they are not retaining any old values#>
  Get-Variable -Exclude PWD,*Preference | Remove-Variable -EA 0
  Wanted to clear variables before running script, data was being held over each run before adding this in
  Here is the code "xxxxx" used in lieu of server names:
  <#Import in modules, if statement for PSSnapin so that it doesn't throw an error if it is already loaded.#>
  Import-Module ActiveDirectory
  if ( (Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.Admin -ErrorAction SilentlyContinue) -eq $null )
      add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin
  <#Clear variables so they are not retaining any old values#>
  Get-Variable -Exclude PWD,*Preference | Remove-Variable -EA 0
  <#Variables needed to complete script. $testIteration shows the number of times nested for loop happens, $exUserCorpMatch=@() is an empty array that will have objects added to it
  when linked mailboxes on Exchange are compared to disabled corp accounts, the $adminUser and $adPW are the login credentials so that anyone can enter admin login credentials to run script#>
  $errorLogPath = "c:\scripts\logs\exchangeADerror.txt"
  $testIteration=0
  $exUserCorpMatch=@()
  $adminUser = whoami
  $exceptionUsers=@()
  $exceptionArray=@()
  <#Create an Array from Get-mailbox cmdlet that has the value "LinkedMailbox" tying it to a Corporate account, .count value used to check results against expected#>
  $mailboxes = Get-Mailbox -resultSize unlimited -RecipientTypeDetails LinkedMailbox
  $mailboxes.count
  <#Create an array of objects from Corp server of user only dissabled accounts, .count value used to check results against expected#>
  $corpAccDis = Search-ADAccount -ResultSetSize $null -Server xxxxx -AccountDisabled -UsersOnly
  $corpAccDis.count
  <#Read in a list of users whose mailboxes shouldn't be removed#>
  while ($var -ne "q"){
      $var = Read-Host "Enter user exception linked mailbox name, or press q to quit entering names:"
      if ($var -ne "q"){
      $exceptionUsers += $var
  $exceptionUsers.count
  <#Create an Array with the usernames that were supplied by the Read-Host Cmdlet#>
  foreach ($name in $exceptionUsers){ 
  $exceptionArray += Get-Mailbox -Identity $name
  $exceptionArray
  <#Compare the two arrays on the value of name from the "Linked Master Account" and the Corp server "Sam Account Name" and insert the matching objects into an Array#>
  For ($a=0 ; $a -le $mailboxes.count -1 ; $a++){ 
      For ($b=0 ; $b -le $corpAccDis.count -1 ; $b++){
      $testIteration++
                          if ($mailboxes[$a].LinkedMasterAccount.Split("\")[-1] -eq $corpAccDis[$b].SamAccountName){
                              $exUserCorpMatch += $mailboxes[$a]
                              break
  $testIteration  #Test value checking nember of times the loop took place
  $exUserCorpMatch.count
  <#For loop to take exception users mailboxes out of the script#>
  For ($d=0;$d -lt $exceptionArray.Count; $d++){
      $exUserCorpMatch = $exUserCorpMatch| ? {$_.alias -ne $exceptionArray[$d].alias}
  $exUserCorpMatch.count
  $exUserCorpMatch | sort
  <#Taking the newly created array from the comparison and running the bulk of decisions, gives full access rights to the before entered admin account, then exports the mailbox to a PST
  file on the network share, and produces a txt file of the users properties, attributes, etc.. Then removes-mailbox, this is cmdlet is currently commented out until testing is done and 
  confirmed removal is ready to take place. #>
  for ($c = 0 ; $c -le $exUserCorpMatch.count -1; $c++){
      $fileCreationTime = Get-Date -UFormat "%Y%m%d%H%M%S"
      $displayName = $exUserCorpMatch[$c].DisplayName
      $pstFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.PST
      $txtFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.txt
      try {
          $everythingIsOk = $true
          Add-MailboxPermission -Identity $exUserCorpMatch[$c] -User $adminUser -AccessRights FullAccess -ErrorAction Stop -Verbose
      } catch {
          $everythingIsOk = $false
          Write-Warning "Permission add problem, logging error to $errorLogPath!"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try{
          Export-Mailbox -Identity $exUserCorpMatch[$c] -PSTFolderPath $pstFolderPath -ErrorAction Stop -Verbose
          }catch{
          $everythingIsOk = $false
          Write-Warning "Export problem!"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try {
          Get-Mailbox -Identity $exUserCorpMatch[$c] | FL | Out-File $txtFolderPath -ErrorAction Stop -Verbose
          } catch {
          $everythingIsOk = $false
          Write-Warning "Problem writing to txt"
          Write-Warning $error[0]
          $error[0] | Out-File $errorLogPath -Append
      if ($everythingIsOk){
          try{
          Write-Verbose "!!!!!!!!!!!!!!!!!!"
          <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
          } catch {
           Write-Warning $error[0]
           $error[0] | Out-File $errorLogPath -Append

  Half of you code appears to be doing nothing.
  This does nothing:
  if ($everythingIsOk){
          try{
          Write-Verbose "!!!!!!!!!!!!!!!!!!"
          <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
          } catch {
           Write-Warning $error[0]
           $error[0] | Out-File $errorLogPath -Append
  The way we do a limiting Try/Catch is to just use a single "try/catch".
  $fileCreationTime = Get-Date -UFormat "%Y%m%d%H%M%S"
  for ($c = 0 ; $c -lt $exUserCorpMatch.count; $c++){
  $displayName = $exUserCorpMatch[$c].DisplayName
  $pstFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.PST
  $txtFolderPath = Join-Path "\\xxxxx\exchangePST\" $fileCreationTime$displayName.txt
  try {
  Add-MailboxPermission -Identity $exUserCorpMatch[$c] -User $adminUser -AccessRights FullAccess -ErrorAction Stop -Verbose
  Get-Mailbox -Identity $exUserCorpMatch[$c] | FL | Out-File $txtFolderPath -ErrorAction Stop -Verbose
  <#Remove-Mailbox -Identity $exUserCorpMatch[$c] -Permanent $true -ErrorAction Stop -Verbose#>
  }catch
  Write-Warning $error[0]
  $error[0] | Out-File $errorLogPath -Append
  The following does the same thing your code did.  It executes but aborts further execution on an exception.
  ¯\_(ツ)_/¯

• Cisco NSS4000 NTFS Permissions Issue

  Hi guys,
  I have a Cisco NSS4000 4-Bay Gigabit Network Storage System with a RAID5 array and a 2.75TB volume. I have also created a CIFS share, configured the NAS on the domain and given all users full access to the share. My issue is that the subfolders under inside the volume don’t inherit the NTFS permissions from the parent folders. No matter how many times I check the “Allow inheritable permissions from the parent…” option, it always seems to get unchecked. As a result of that, any new files the users create will only be editable by the person who created it, until I manually change the permissions. I don’t see any errors reported on my DC or the NAS logs.
  Any help or guidance would be highly appreciated.

  Nathan Guinle wrote:
  What extra software do I need to install?
  you don't need any extra software to be able to read NTFS drives, you only need it to be able to write to them but that's not what you are trying to do.
  You asked, "where exactly are you trying to move the files?"
  I am trying to move them anywhere on my mac.
  I created an empty folder in my documents to be exact.
  I have tried moving files/folders one at a time but I keep getting that permissions error thing.
  This is just crazy..... I can't believe I can't move my files from my windows to my mac....!!
  How do other people (switchers) do this?
  other people don't have this problem.
  what you see is not normal. NTFS drives are readable by OS X and you should normally be able to copy anything you want from that drive. something is wrong with your drive but since it's NTFS there is not much you can do from OS X. try hooking up the drive to windows and repairing it from windows with [chkdisk|http://support.microsoft.com/kb/315265].

• [SCOM Forest] -- Certificate -- [Gateway Servers Forest] -- Trust Relationship -- [Multiple Forests]

  Hello, and sorry for this strange title, i couldn't find a simple way to write my question.
  - I want to use agent monitoring from my SCOM 2012 SP1 management servers
  to servers in multiple forests.
  - I don't want to set two-way trust between my scom forest and the monitored forests.
  - I would prefer not to install 2 gateway servers in each forest.
  So would it be possible to create a intermediate forest for my gateway servers, use certificate authentication between management and gateway servers, and use two way trust between this intermediate forest and forests to monitor.
  [SCOM Forest]<-- Certificate --> [Gateway Servers Forest] <-- Trust Relationship --> [Multiple Forests]
  Do you think this would work ?

  Hello,
  worked
  your
  approach?
  I'm
  in
  a
  similar
  situation,
  can you
  share
  the
  results?

• Changing ntfs permissions

  This is a basic question.
  I have a windows 2012 server standard with a windows 8 client.On the server is a share AfdelingProductie. This share is on the client mapped to the drive S: for the user Flo_Fli. The user creates a document test.txt in the drive.I file explorer on the client
  I open properties of the document. Then i choose tab security, button advanced. There I want to change the ntfs permissions by disabling inheritance, removing group and adding a group with adapting the permissions. When I click apply: I get the message:access
  denied. Is it normal that I cannot change the ntfs permissions as owner with full control on the client?

  Hi,
  Please give the everyone group full control for share permission and then to change the NTFS permission.
  Regards.
  Vivian Wang

• Can't apply NTFS permissions - Access denied

  When I am trying to change NTFS permissions on shared folder I get the error:
  An error occurred while applying security information to:
  \\fileserver2\etc
  Failed to enumerate objects in the container. Access is denied.
  fileserver2 is Server 2012R2.
  Folder "etc" is shared with full control permissions to
  everyone.
  My user has "Full control" NTFS permissions on that folder.
  P.S. If I login to fileserver2 via Remote desktop, I am able to change permissions for that folder, but not when doing same action via share.

  Hi Aurimas,
  Based on my test , if you want to "everyone" to change NTFS permission of root file share  you need to change "everyone" to be the owner of the share folder .
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.
  Hello,
  I do not want "everyone" to be able to change NTFS permissions, I want those with "Full Control" to be able to change NTFS permissions as currently they can't.

• Move domain to another forest (forest trust)

  Hello
  I have a forest with many domains , and other forest with a domain. They include a trust set up and working . I would like to have only one forest, but it would need to move that single domain in additional forest, and would like to know if it is possible then
  moving a domain from one forest to another forest in forest trust ?
  Thanks also suggestions stop solve my problem

  You're asking to move the domain itself? No, you can't move the domain. You can create a new domain in the forest you want to consolidate to, and then migrate users and groups to that forest. You'll have to migrate workstations and users and repoint
  applications as well, if needed. And then, you're not really moving them, you are creating new ones and copying properties of those objects. You mentioned a forest trust but all the forest trust allows you to do is to assign/use permissions from one forest
  in another. People speak of moving objects but like I said, for users and groups you're simply creating new ones with the same names, and copying properties over. Computers/servers are joined to the new domain, but it's a new computer account, not one that
  gets moved over.
  You'll need a migration tool to do this smoothly. As Malek mentioned ADMT, yes this is one tool that can do this. It's not necessarily the best or easiest tool, but it's free from Microsoft. There are also other third party tools such as Dell/Quest
  Migration Manager for AD and BinaryTree also has similar tool (there are others out there too). Those two latter tools have the ability to add permissions (ACL entries) to new domain objects, based on the old ACLs from the source domain. This can be a huge
  help for servers and workstations (allows the users to continue to use their same profile after their computer is migrated, and they are using their new user account. Otherwise Windows would just create a new profile when the user logged in with his/her new
  domain account.
  Depending on the size of the domain you want to move (how many objects), this could be a pretty big project. There's a lot going on in a migration, and based on your question, I'd recommend finding help with it if you can. There are a number of companies
  and consultants who specialize in AD migrations, even some consultation for planning could help tremendously.

• Making NTFS permissions read/write without ability to create/delete folders

  Out at one of our job sites we have a server running Windows Server 2012 R2 that's got a file share accessible to our onsite people. Our project managers have devised a very strict folder structure for this file share, and for auditing purposes they want
  to stick as close to this structure as possible.
  Therefore, although people onsite must have read/write access to create, modify and delete files, they do not want them to be able to create or delete folders. They want them to use the existing folders and not tuck stuff away into folders that no one knows
  exists except the person who created them.
  The closest way I've found to do this is to deselect the advanced permissions 'Create folders / append data' and 'Delete subfolders and files.' This has a few side effects however, the most noticeable being that due to not being able to append data to files,
  certain files (such as CAD drawings) can't be edited by anyone except the person who created them.
  Is there a way using just NTFS permissions to accomplish what the project managers want? And if not, are there any useful third-party utilities that will help us do this?
  Thanks in advance for any assistance.

  Hi,
  I'm not much familiar with AutoCAD- what's the exact behavior which is stopped by the restricted folder permission?
  For example, if AutoCAD will create a folder in editing, we will not have a solution as users needed to create folders so that AutoCAD could run properly. 
  And if AutoCAD works like Office files, that create a temp file for editing, this will be the solution:
  1. Give Domain Admins - Full Control - This folder, subfolders and files.
  This is to allow all admin could access and edit all data.
  2. Give SpecificUsers group (a group contain all normal users) - Full Control without "Change permissions" and "Take Ownership" -
  Files Only.
  This is to give that group most permissions to create, edit and delete files but not Folders.
  3. Give SpecificUsers group another permission:
  Traverse folder
  List FOlder
  Read Attributes
  Read extended attributes
  Create files - this is important. Without this permission you will not able to save Office files. 
  Read permissions.
  Give above permissions to "This Folder, subfolders and files".
  This is to allow users to access all subfolders. 
  If you have any feedback on our support, please send to [email protected]

• ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

  We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
  Is there any requirements or configurations change needs to be done to make it success?

  Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
  If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton