This guide outlines the process of migrating File System Access Control Lists (ACLs), specifically NTFS permissions. This functionality can be enabled via the File System Document Sharing setting within the File System source connection setup.
Resolving Permissions to Email Addresses
File System Access Control Lists (ACLs) / NTFS permissions are typically stored as login names in the format domain\username. To migrate these permissions, CloudM Migrate must successfully map these login names to corresponding email addresses. If an ACL cannot be mapped to an email address by any means, then no ACL will be added for that entry in the destination account.
CloudM Migrate employs various methods to map file system permissions to email addresses:
- Active Directory Integration:
- If the workstation where CloudM Migrate is installed is logged into an Active Directory (AD) domain, and the user running the tool has the necessary permissions, CloudM Migrate will attempt to obtain a list of users from Active Directory and map the NTFS permissions to their associated email addresses.
- Requirement: This method requires users to explicitly have an
EmailAddressattribute set in Active Directory. - Recommendation: If the workstation is not connected to Active Directory, or if you prefer to use explicit mappings, the 'Resolve Email Addresses' option in the File System source migration settings should disabled.
- Explicit CSV File Mapping:
- If the migration workstation is not logged into Active Directory, or if the option to resolve Active Directory Email Addresses is disabled, then no automatic mapping to email addresses is performed by default. In these cases, explicit mappings must be provided via a CSV file (see details below).
- Application of Address Replacement Schemes:
- When ACLs are processed, CloudM Migrate utilizes configured address replacement schemes to map to potential email addresses:
- Explicit Mapping (CSV First): If an entry has been explicitly specified in the 'Address Replacements (File)' option within the Address Replacements settings, it will be mapped explicitly according to these provided mappings.
- Example: To map an NTFS permission of
domain\paultopaul@example.com, your CSV file should contain an entry formatted asdomain\paul,paul@example.com.
- Example: To map an NTFS permission of
- Resolved Email Address + Domain/User Mapping: If the resolved permission is already an email address (e.g., obtained from Active Directory) and it has not been explicitly mapped via a CSV file, then CloudM Migrate applies further replacement rules:
- The domain name will be replaced according to the 'Address Domain Replacements' options.
- The name part (local-part) of the email will be mapped according to entries on the user tab (e.g., Export Name to Import Name).
- Detailed Example:
- Original ACL:
domain\paul - Mapped via Active Directory to:
paul@domain.com - 'Address Domain Replacements' includes a mapping:
domain.comtoexample.com - On the user tab, a row exists with an export name of
pauland an import name ofpaul.jones - The final ACL email address migrated will be:
paul.jones@example.com
- Original ACL:
- Explicit Mapping (CSV First): If an entry has been explicitly specified in the 'Address Replacements (File)' option within the Address Replacements settings, it will be mapped explicitly according to these provided mappings.
- When ACLs are processed, CloudM Migrate utilizes configured address replacement schemes to map to potential email addresses:
Configuration options for permissions
While the default options are recommended for the majority of organizations, CloudM Migrate provides advanced settings to customize your migration experience. The following examples are some of the configuration options available when migrating from a file system including permissions available in the following sections:
File System - Source Connection Setup
- File System Document Sharing:
- Purpose: Specifies how to share files migrated from the file system.
- Note: When migrating to Microsoft OneDrive, email notifications are not sent to users about these shares.
- Active Directory Options:
- Resolve Email Addresses:
- Purpose: Attempts to resolve NTFS permissions to corresponding email addresses.
- Requirements: CloudM Migrate must be installed on a workstation connected to an Active Directory domain and logged in as a user with permissions to read users from the Directory.
- Recommendation: If migrating files only from a local workstation not connected to Active Directory, set this option to
false. - More Information: For detailed information about how ACLs are mapped, please refer to the specific section above regarding "Resolving Permissions to Email Addresses."
- Resolve Email Addresses:
- Excluded Account Permissions:
- Purpose: Specifies a list of login users whose file ACLs will be ignored during migration.
- Example: An ACL for 'NT AUTHORITY\SYSTEM' is typically present on all files. To ignore this ACL, specify this value in this option.
Google Workspace - Destination Settings
- It is recommended to use the default settings when migrating to users' Google Drive or Shared Drives, but addition options are available to be tested/used.
Troubleshooting Common Issues
- Network Drive Path Mapping: If your source path is from a network drive, you need to ensure that you map the network drive exactly as per our documentation: Configuring Mapped Drives
- CloudM Migrate Service User Permissions: The CloudM Migrate Service may need to be run using your logged-in Windows user account or a dedicated service account with appropriate permissions, as detailed in Running the CloudM Migrate Service Using a Dedicated Account
- UNC File Path Enumeration Issues: Occasionally, CloudM Migrate can have difficulty enumerating a UNC (Universal Naming Convention) file path. This often appears to be caused by an unstable network connection underpinning the UNC path. Creating a Mapped Drive within Windows to the UNC path can mitigate this issue in some circumstances.