How do I copy file shares between windows servers and retain ACLs including AD users and groups

Posted on 2010-09-21
Last Modified: 2012-05-10
I've tried Robocopy with the /E and /COPYALL switches and it just copied the data between servers with the files inheriting the ACL of the destination folder.

I've also tried RichCopy with the same results.

Do I really have to manually re-create all the permissions and groups?
Question by:tferro999
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2

Expert Comment

ID: 33730890
Have you tried robocopy with the /SECFIX option?

This is assuming that the source and destination servers are located within the same AD forest?

Accepted Solution

sosinc3 earned 500 total points
ID: 33730914
What do you use as a backup tool? I find that when I have to do this, the best thing that works for me is either my CA Brightstore (Arcserve) backup software or my BackupExec software (we run both depending on the site). They have the ability to restore all the security information along with the file/folders. The shares are actually in the registry. Take a look at [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections]
Listed under this key are all the shares Windows has stored for the current user, simply delete the entries you don't want to store or add new ones by adding a new string value, and name it by incrementing the alpha values already in the list. Set the data to equal the drive share you wish to add. You an export this key and import it to the new server assuming the folder structure and the drive letters stay the same.

Author Comment

ID: 33730958
The users guide says that /SECFIX is no longer supported and has been replaced by /COPY:S and /COPYALL should get the security settings, timestamps, ownership etc.  For some reason when I run that command, the copied files just inherited the permissions of the new share and wiped out all the old ACL info.

I'll try to restore the data from my backup tonight and see how that goes, i'm running MS DPM 2007.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 33730970
Is it share or NTFS permissions your wanting to set here?

Author Comment

ID: 33731013

Expert Comment

ID: 33731040
Is the user account you're running robocopy under the owner of the destination folders (or at least have permissions to change folder and file permissions)?

Author Comment

ID: 33731048
So the backup solution worked, sorta.  I'm able to restore the files to the new share and retain the old ACLs.  However, it also includes the old and slightly different directory structure.  So I still have to copy/paste them to the correct folder which of course resets the permissions again.  I tried disabling "inlude inheritable permissions from the object's parent" on that folder and it STILL applies the new permissions.  What am I missing here?

Author Comment

ID: 33731057
Ya, the account I ran robocopy under had full control over the new destination.

Expert Comment

ID: 33731609
The backup suggestion I gave you works great if you are using the same folder structure. You did not indicate earlier that you were also changing your file structure so sorry if I did not give you correct report. You could use the XCOPY /O to copy files from one folder to another and copy the ACL and file ownerships.

Expert Comment

ID: 33733562
You can also take the ntbackup

Take backup of the folder and restore the same to the destination server.

It will retain the ACL as well as the folder structure.

Only Domain ACL remains, local ACL will be removed.

Expert Comment

ID: 33734007
hello, I do this all the time with robocopy worked fine for 2003, but 2008 and above there is a slight problem and i had to use additional command options, basically i use

robocopy sourceunc destination unc /e /sec /copyall /mir /log:c:\mylog.txt /r:1 /w:1


/e = all folder as well as empty
/sec = original security option
/copyall / mir = for 2008 transfers needed this to take security
/log = log file of transer
/r:1 /w:1 = max retries is 1 and wait is 1 second

Works everytime now, Hope this helps

Author Closing Comment

ID: 33782005
restored from a backup and it worked

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question