Copy file permissions in batch script with robocopy

Hey Experts.  I have copied over all the data from the old file server to the new file server.  However, some of the permissions on the old file server didn't transfer over.  I checked and the permissions are fine on the old file server and the data is there but the permissions didn't assign properly.

How do I copy the permissions (NTFS) over but not the data again?  I found a couple of switches to use with robocopy in the batch file but before I monkey it up this close to the go live date (Thu), I figured I would ask the brightest minds!

Thank you for your help and time!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NVITEnd-user supportCommented:
Did you try the /E /Copy:S /IS /IT switches?

ROBOCOPY /Mir <Source> <Target>

ROBOCOPY /E /Copy:S /IS /IT <Source> <Target>

The first Robocopy command above will copy data and security for files that have been updated, and the second Robocopy command will refresh file security for all files, without copying any file data.
F PCommented:
I personally like to use DFS, distributed file shares, and Active Directory, to do the job for me. Little easier to setup.
F PCommented:
... BTW, DFS will do synchronization, and you can point the users to a \\domain.tld\share share instead of a single server so there is no need to make any changes or worry about things after it syncs.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

You can not just reset permissions using robocopy without copying the files..
samiam41Author Commented:
@Arnold, ok, then how would you do it if you copied files?  

@frank pennock, I appreciate the information on that and will look into it as soon as I stamp out this fire.

@nvit, I've tried both and the log files show "skipped" on the files.  Thoughts?
The option without copying the file, is to use
icacls topof_directory /T /save d:\aclfile_top_of_directory

Then you do on the destination with the aclfile_top_of_directory transferred/copied
icacls topof_directory /restore aclfile_top_of_directory

Note this will only apply to the files copied, if new files were added in the interim on the new location, the will not be in the reference and will not be changed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Need clarification, are you certain the issue relates to security settings (NTFS file level) or it is the issue with security settings on the share that denies users write rights.
Usually, the default share permissions are read-only such that while one can access shares and see files, they will be denied write rights into the share unless the share permissions reflect groups/accounts with write rights.
samiam41Author Commented:
Usually, the default share permissions are read-only such that while one can access shares and see files, they will be denied write rights into the share unless the share permissions reflect groups/accounts with write rights.

When I look at the NTFS/permissions on each user directory on the new FS, the settings don't match the NTFS/permissions on each user directory on the old FS.  I am manually changing them as tomorrow is the go live date.  While there are a couple hundred, I'm not opposed to having an answer before I complete this so please post back any ideas.
See earlier comment using icacls.
Icacls only deals with the ntfrs security settings.
samiam41Author Commented:
Just ran this on the old server:

icacls \\oldfs\users /T /C /save c:\tools\logs\aclfile_top_of_directory

which dumped a lot of info into the "aclfile_top_of_directory" file.  

Now to get those permissions on the directory on the new server, is this what I would run (making sure I put that file "aclfile_top_of_directory" in the c:\tools\logs directory on the new server)

icacls \\w2k12fs01\users /T /C /restore c:\tools\logs\aclfile_top_of_directory
I do not think you need to use the /T /C on the restore side.

Test first on a smaller set of files.
/T will repetitively reassert security settings which if run on restore could take a long time .....
samiam41Author Commented:
Lesson 1 learned, when restoring the permissions to the new server, exclude the last directory (instead of icacls \\newfs01\users, use \\newfs01\)

Trying to figure out why the individual user accounts listed on the ntfs permission side wasn't a) captured in the save file and/or b) restored to the new file server.  Working on learning lesson 2.
Nets permissions should be captured directly on the system not via share.
samiam41Author Commented:
Lesson 2 learned, make sure you give the script enough time when dealing with 290 items.  The script just finished and it looks EXACTLY like I needed it to!

Great work, arnold!
samiam41Author Commented:
This worked just as the expert explained!

Thanks for your help and time.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft DOS

From novice to tech pro — start learning today.