Solved

Robocopy Stopped Working "Access Denied"

Posted on 2013-11-05
20
2,279 Views
1 Endorsement
Last Modified: 2013-11-12
Something change this last week that is preventing my Robocopy to work now.  It has been doing fine for the last year.

I have a script that:

1.  Maps two network drive locations using a service account
2.  Excecutes the Robocopy command to put a copy of xml files I have in a folder on my 2008 file share server into one mapped network drive
3.  Execute the Robocopy command to next moved those xml files to the 2nd mapped network drive
4.  Disconnect the mapped network drives.

Since last week, step number 2 fails with an access denied error (ERROR 5 (0x00000005)).

The rest of the script works fine.  Both network drives map, the file moves to the 2nd mapped drive with no problems.

What is strange is the permissions had not to my knowlege changed on the mapped drive that failed.  And, since it's mapped I can manually copy the files there with no problems with that same service account.  

It appears to just be the RoboCopy command that stopped working.

I've read through lots of "Access Denied" solutions to include the "/Copy:DT" and that does not solve my issue.

Does anybody with experience on RoboCopy have some thoughts on how to fix this?  I'd hate to give up robocopy and use xcopy as a solution.

Here is a edited version of my script:

NET USE P: \\1stServer\ABCFolder "FakePassword" /user:MyDomain\svcMyServiceAccount /persistent:no
NET USE Q: \\2ndServer\2ndABCFolder "FakePassword" /user:MyDomain\svcMyServiceAccount /persistent:no
robocopy.exe \\MyLocalServer\MyFolder P:
robocopy.exe \\MyLocalServer\MyFolder Q: /MOV
NET USE P: /delete
NET USE Q: /delete


Thanks,

Joe
1
Comment
Question by:jtflex
  • 10
  • 10
20 Comments
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Can you turn on logging?  drop a /log:Robocopy.log at the end of your robocopy parameters.  That should give more detail...
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
w2K8 - I'd also check UAC...could have been off before, but now on?
0
 

Author Comment

by:jtflex
Comment Utility
Hi sirbounty,

I resonded to you previous reply but I dont' see it posted.  Here is what I replied to before:

"I must have the syntax wrong"

I tried to turn on logging by:

robocopy.exe \\MyLocalServer\MyFolder P: /log:RoboCopy.log

and

robocopy.exe \\MyLocalServer\MyFolder P: /log:\\MyLocalServer\MyFolder\RoboCopy.log

both just has the script stop right there.

Is my syntax right to capture logging?

Joe
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Sorry Joe - you will also need to supply a path.  I wasn't sure where you wanted the log dropped, but like most path's with spaces, you would need to enclose it in quotes if it had any...as an example:

robocopy <source> <target> /log:"c:\my folder\robocopy.log"

Although, looking at this again, I don't think you can use 'just' the drive letter for the target (P: in your example).  You need to supply the 'path' as well...i.e P:\

Perhaps that's the only issue here?
0
 

Author Comment

by:jtflex
Comment Utility
Here is the results of the log file.  Keep in mind even though it says access denied.  I can move this new file into that P: location manually with the same service account.
Robocopy.log
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
The log doesn't provide any additional information.
Can you try adjusting the parameters, adding the trailing backslash?

Additionally, let's see an output of
cacls P:\
vs
cacls "P:\Old Data do not use\"
0
 

Author Comment

by:jtflex
Comment Utility
Hi sirbounty,

I'm sorry but I'm not sure what you mean by "adding the trailing backslash".  Can you show me the syntax?

I have attached the two cacls files requested.

Thanks,

Joe
Pcacls.txt
ODDNUcacls.txt
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Use this version as a test...

NET USE P: \\1stServer\ABCFolder "FakePassword" /user:MyDomain\svcMyServiceAccount /persistent:no
NET USE Q: \\2ndServer\2ndABCFolder "FakePassword" /user:MyDomain\svcMyServiceAccount /persistent:no
robocopy.exe \\MyLocalServer\MyFolder P:\ 
robocopy.exe \\MyLocalServer\MyFolder Q:\ /MOV
NET USE P: /delete
NET USE Q: /delete

Open in new window

0
 

Author Comment

by:jtflex
Comment Utility
I'm getting the same error.

See attached.

Thanks,

Joe
Results.txt
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Ok, what is this file?
 *EXTRA File                100        NULL.X

NULL is a reserved word - not sure if that might be causing the hangup?
Try removing/renaming that file and try again...
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:jtflex
Comment Utility
My files are transfered over to the other vendors server for processing (the P: drive) and that is a file that they use.  I don't have permissions to that file.  

Also that file has been there for a year being used by the vender and has not changed. Also it is required so even if I could had renamed it or removed it; I don't think it would had been the issue.

The other vendor is looking at the security on this location but they say everything is set up correctly and nothing has changed.

Joe
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Yes, the cacls seems to confirm that.
Hmm - difficult to troubleshoot this one.  But I'm re-reading from the beginning.
Last week the time changed - not saying that's an issue, but when I read that first part, that was the first thing to come to mind...

I know you said you can do it manually - did you mean via robocopy, or using explorer based copy?

The /copy:dt paramater, I would disagree with - unless otherwise specified, robocopy defaults to using /copy:dat, which would already include the (d)ata and (t)imestamps.  Excluding the (a)ttributes shouldn't necessarily matter....at least I've never come across that, and I've been using it for years.

Next, I'd like you to confirm the version of robocopy.  Presumably that's the native version with windows 2008, but it can't hurt to double check.

Also, I don't see any response to my question about uac.  Depending on what version of 2007 you're running, there's a possibility that it was turned off.  Can you see where that sits as of now?

Lastly, I wonder if you can try this with a slightly different approach...open an elevated cmd prompt (start - type 'cmd', hold <ctrl>+<shift> and tap <enter>.  You should be prompted to confirm, if uac is enabled).  

Now, making sure you're using the service account (from the cmd, you can launch another cmd by typing runas /user:<serviceID> cmd & exit - which will prompt you for a password, and then close the originating shell window.

Next, instead of mapping a drive letter, try just mapping to the resource paths:

net use \\1stServer\ipc$ /user:mydomain\svcMyServiceAccount "FakePassword"
net use \\2ndServer\ipc$ /user:mydomain\svcMyServiceAccount "FakePassword"
robocopy \\MyLocalServer\MyFolder \\1stServer\ABCFolder /l /log:c:\1stCopy.log
robocopy \\MyLocalServer\MyFolder \\2ndServer\2ndABCFolder /l /mov /log:c:\2ndCopy.log

Open in new window


Slight adjustments here are, we're simply using unc paths to copy from/to...we're also using the /L parameter which should only log the files that 'would' be copied - it won't actually copy anything, but should still report if there were any issues.  
If it goes through okay, take out the /L from both of the robocopy statements above, and try again.  Let me know how you make out.
0
 

Author Comment

by:jtflex
Comment Utility
Hi sirbountry,  Here's what I got:

robocopy version is 5.1.10.1027 and I believe it is the 2008 native copy

I don't believe uac is involved.  I'm not using Windows7 to talk to the server.  I'm on a XP box using remote desktop to our 2008 server (which is the one I list as "MyLocalServer")

On that server I signed in as the local administrator.  I also did the elevated cmd prompt  from it and I was not prompted to confirm.

I did launch a 2nd cmd promp using your instructions with the service account and was able to connect to that share without mapping to a drive letter.

I then ran the robocopy command with the "/l" and the log file "1stCopy" was created just like you said with no errors and of coarse no file copied.

I then ran the command again without the "/l" but unfortunatly that access denied error appeared again and I had to cancel the command.

Yes, when I said i can manaully move the file, I am speaking of just a simple drag and drop from the two explorer windows open.

Also, I want to thank you for the time you are putting into this issue.

Joe
1stCopy.log
1stCopy2ndRun.log
0
 

Author Comment

by:jtflex
Comment Utility
Also here is the response from the vendor of that share when I ask about security and not seeing the service account show up in the cacls command.  I'm not sure if it helps or not:

"I verified that the account is not disabled or has an expired password.  The security is on the share and not directly on the file system which is why it didn’t return as a result in your earlier query.  I’m still a bit puzzled as to how you can manually copy the files over using that account, but not with the script.  I’ll take a look at it and get back to you."
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
I don't believe uac is involved.  I'm not using Windows7 to talk to the server.  I'm on a XP box using remote desktop to our 2008 server (which is the one I list as "MyLocalServer")
The XP OS is irrelevant.  If you RDP into the 2008 server, then that's the OS to be focused on.
UAC 'could' still be at play, but I'm not leaning that way.  However, one other method to ensure it's an elevated prompt - look in the title bar.  On Windows 2008, you will simply see the path to the executable, cmd.exe (windows\system32 most likely).  If it's in an elevated shell, it should read "Administrator: Command prompt" (i.e. http://computerrepairsacramentoca.net/wp-content/uploads/2012/09/elevated-command-prompt-computer-repair-sacramento.jpg)

Another item of note - setting security on shares (and this is merely my opinion, of course), makes security more complicated than it needs to be.  In my experience, I've always set shares to full control for everyone.  Then you simply limit to the correct areas with the filesystem security.  I understand some people don't work it this way, and even Microsoft in their exam preps prefer a mix of both.  

Coming down from my soap box...it dawns on me that space might also be an issue.  Does the target share on what amounts to the P drive have any quota policy enforced, or could the volume where the share resides be full?  I know it's not an 'access denied' scenario, but I've seen some quirky results in robocopy logs...it generally will show not enough space on the disk, but that's another thing to look at.

Failing that, following the same method above, and I don't see a need to continue testing 2nd server at this point, I'd like you to re-run it once more using this syntax:

net use \\1stServer\ipc$ /user:mydomain\svcMyServiceAccount "FakePassword"
robocopy \\MyLocalServer\MyFolder \\1stServer\ABCFolder /xf:1stCopy.txt /r:0 /log:c:\1stCopy.log

Open in new window


The only adjustments made are (1) skip that 1stCopy.txt file in the copy.  Another thought I had was that perhaps that file is open somehow on the target (if we find that's the case, using a /b parameter may solve it) and (2) /r:0 states to skip any retrying.  This will ultimately try 'every' file at least once.  I'd like to see that log output - if it's failing on every subsequent file, or just that one.
0
 

Author Comment

by:jtflex
Comment Utility
I ran the script in the evelavated cmd windows (showing Administrator) and it still got access denied.

I also reworked the script you ask for and it's attached to this comment.

There are way too many old files in this share and I'm sending an email to the vendor to please delete the old ones as I don't have permission.

Once they do that, I'll run the script again and see if starts working.  I'll update you when that is done.

Thanks
joe
Testingit.log
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
Comment Utility
Another quick thought...
Sometimes a file can exist with the name of a pending folder (or vice-versa) that can cause sudden issues like this one.

For example, if \\server2\abcfolder has a file called DOCUMENTS.OLD and robocopy tries to create a folder by the same name, it will fail...  Might also give that a look, particularly in the area where the log indicates the file that's failing to copy.
0
 

Author Comment

by:jtflex
Comment Utility
Hi Sir Bounty,

Sorry, I was off for the long holiday starting on Friday.

I did look at each file name and they are all different.  In fact, I ran the script with a copy of one of the files in the share already instead of a new one and the script ran fine (just skiped the file).  It appears to only affect new files being written to the share.

Also, I could not get the vendor to respond and delet the old files there and I have been told to test xCopy and if that works then use that as the solution instead.

I did test xCopy and it does work so I have to drop trying to get robocopy as the solution (even though it's a better command and it used to work!).

Thanks for the time and effort you put in to this in helping me.  I really appreciate it.  It's too bad I couldn't get it working again.

Joe
0
 

Author Closing Comment

by:jtflex
Comment Utility
Excellent effort by Sir Bountry and trying to help me with this issue.
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Glad to have helped - thanks for the grade :^)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now