[Last Call] Learn how to a build a cloud-first strategyRegister Now


Robocopy - Security Permissions Issue

Posted on 2008-11-19
Medium Priority
Last Modified: 2012-05-05
I used robocopy to transfer files from an old webserver to the new webserver.  I made sure to have all of the user accounts created on the new server before moving the data.  I used the /COPYALL /SEC /E switches with the command.  Some of the permissions have copied over, but for other folders, it's set them as Account Unknown, even though the user account has been created.  Is there another switch I should be using at the end?  Also, how do I remove all of the Account Unknown's now?

I need to go live by Friday, with tomorrow for final testing, so any help today would be much appreciated!

Question by:bridgetimiller
  • 4
  • 3
LVL 85

Expert Comment

ID: 22995720
robocopy worked just fine. The problem is that you did *NOT* recreate the user accounts. User accounts have a SID based on the machine they were created on, and different machines have different SIDs. It doesn't matter whether the accounts have the same name, the SIDs are different. The only permissions that you now see with resolved names are accounts with "Well-known SIDs", that is, accounts that have the same SID on all NT based machines (like Administrators or System).
You should be able to replace the permissions on the new server with the new accounts using subinacl; install the Resource Kit Tools (if you haven't done so yet) for the subinacl help, then install the subinacl download (the version that's included in the ResKit is buggy!).

Windows Server 2003 Resource Kit Tools

Download details: SubInACL (SubInACL.exe)

Author Comment

ID: 22995829
Thanks - I figured it was something like that.  So, what commands do I use to switch the SID?  I see the findsid command to find out what it is, but how do I change it?
LVL 85

Expert Comment

ID: 22996016
You will probably need the /subdirectories object type, the /changedomain action, and the /offlinesam option because you're working with local accounts.
You can retrieve the SIDs from the old machine using PsGetSid from http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx to create the offline sam file.
subinacl /help /subdirectories
subinacl /help /changedomain
subinacl /help /offlinesam
for details, and/or use the ResKit help as well.
You might want to start with a test copy in a temporary folder; note robocopy's /create option, which will only create empty files and the folders, so it won't use any serious space, and it can be recopied quickly if something gets messed up.
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.


Author Comment

ID: 22996042
Quick Question - How come some of the permissions came over from the old server to the new server and some didn't?  Also, is there a way I could just manually recreate the Accounts to get them to match?  Or somewhere I can just edit the SID?  The above method is a little intimidating to me.

Author Comment

ID: 22996060
Eh, I think I'll just go into the folders and manually modify the permissions - remove the account unknowns and just add in the ones that should be there.
LVL 85

Accepted Solution

oBdA earned 2000 total points
ID: 22996182
As I said: "The only permissions that you now see with resolved names are accounts with 'Well-known SIDs', that is, accounts that have the same SID on all NT based machines" (see http://support.microsoft.com/kb/243330).
The only way to clone the SID would be with another Sysinternals tool, NewSID (http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx); but I would only do that immediately after the initial OS install, not on a system that's already configured. But even then you wouldn't be able to recreate the same groups, because you'd have to create the exact same accounts in the exact same order as you've did on the original machine.
Depending on how many groups and folders you have, and the complexity of the permissions, it could indeed be easier to just recreate the permissions manually.

Author Comment

ID: 22996312
Yep, started doing the manual thing. Should only take me an hour or so I hope :)  Thanks for your help

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question