remove unknown accounts with xcacls

[shan42]

is it possible to remove user accounts from old domains with xcacls?

our NT domain no longer exists but folders on our 2000 domain still retain permissions for NT users.

when i use xcalcs, the unknown accounts are showing as
<Account domain not found><OI><CI>F

So i'm trying to use the command:
xcacls folder /r Account domain not found

but am getting the error:
the trust relationship between the primary domain and the trusted domain failed

thanks for any advice offered.

 

[wolluf]

what happens if you try to do this 'manually' through the properties security tab?

do the folders have lots of permissions/do they all have same permission? (I was thinking xcacls replaces existing permissions by default - so perhaps you could run it to (re)set up existing permissions without the dead domain - but realise this could potentially be a very time consuming task!)

 

[bcastner]

I honestly do not think there is a way to do this. If there were Xcacls would not be the way

You removed the machine improperly from the old Domain. It is possible you can use subinacl to remove the underlying Security principle, but I have honestly never tried. A whie ago I suggested this, and it did help someone to remove the domain SID assignments on folders and subfolders.

From the Win2k resource tools:

http://www.dynawell.com/reskit/microsoft/win2000/subinacl.zip