Robocopy ERROR 1307 (File ownership error)

I am copying from C:\Folder to \\backup\folder$

My Command:
ROBOCOPY C:\Folder \\backup\folder$ /E /MIR /copy:datso

Error:
Robocopy ERROR 1307 (0x0000051B) Copying NTFS Security to Destination Directory ...This security ID may not be assigned as the owner of this object


If I change the cxommand to /copy:dats (without the o) it works OK, but I need the ownership!

C:\Folder has ownership of "domain\domain admins"
C:\Folder has a few user folders in it with ownerships of "domain\username"

any ideas?
LVL 1
PeteAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
There's a difference between taking ownership (granted by the "Take ownership of files or other objects" user right or the "Take Ownership" NTFS permission) and assigning ownership.
For the latter (which is what you're trying to do), the account you're using will need the "Restore files and directories" user right on the target server. I suspect this one is missing in your case.
How Permissions Work
https://technet.microsoft.com/en-us/library/cc783530(v=ws.10).aspx
McKnifeCommented:
Yes, I just read the same googling it. Simply put: does your account have administrative rights on the target machine? Those shoud include that privilege.
PeteAuthor Commented:
Thanks for replies, there's a few parts to the setup, maybe u can advise who needs access to what.

- at startup on the client win10 machine a script creates a c:\folder. Admins FC permissions.
- at user login a subfolder called the users name is created in this with permissions modify.
- a powershell script exists on netlogon that backs up c:\folder to a backup share
- a scheduled task is created on the client machine using GPO, that runs the backup script at startup. The scheduled task runs under the SYSTEM account. This could change I guess.

There are many client machine and many users on each machine (School).

So...what to do?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

PeteAuthor Commented:
By the way as a test we have already set EVERYONE full control permissions on the destination backup share...
oBdACommented:
As I said: NTFS Full Control does not include the right to assign ownership, only to take ownership.
A computer's local system account has the same network permissions as an authenticated user, so mostly nothing.
Create a domain user (no admin) to run the task under, assign this user permission on C:\folder and the backup folder, give it the "Logon as Batch job" user right on the clients (GPO), and give it the "Restore files and directories" user right on the backup server.
Alternatively, you could add the group "Domain Computers" to the "Restore files and directories" user right on the backup server, but that should give you the creeps.

But then again: why do you need the owner copied anyway?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
for schedule task use account with domain admins right or account having admin rights on source and destination directories

System account is good for local machine operations but not good for network operations as far as I can think
PeteAuthor Commented:
We need to backup ownership as the users will have quotas set on their local folders, this relies on ownership, so if we need to restore from backup we need to also restore this ownership.

One problem we've already gone through is the ONLY way we could get a scheduled task to appear on the local machine using group policy is to have it configured to run using the system account.

Thanks
oBdACommented:
Different idea then: why don't you back it up without the owner, and set the owner to the user(s) when restoring?
SetACL.exe should make this rather easy:
SetACL.exe -on "C:\folder\<User>" -ot file -rec cont_obj -actn setowner -ownr "n:<Domain>\<User>"

Open in new window


Command Line-Version (SetACL.exe) – Syntax and Description
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
McKnifeCommented:
You have been given options.

Still I don't understand why you let the script run as user. Why not simply take an account that is administrator on both source and target?
PeteAuthor Commented:
Thanks, we need to have this script run at startup. To prevent flooding the network with every machine starting and backing up at the same time there's a random delay in the script, up to 10 mins. Do u have an idea to run this other than in a scheduled task? A GPO startup script will prevent the machine being used until the script has completed....

A scheduled task from GPO only works if you configure it to use the system account, we can't just use an admin account.
oBdACommented:
There's always the possibility to implement this as a service, using a service wrapper like nssm: https://nssm.cc/
McKnifeCommented:
You had been told to assign that privilege to the group domain computers (wouldn't "gve me the creeps") - a simple solution.
MaheshArchitectCommented:
running schedule task is different operation and creating schedule task is different operations

U can specify domain account under which security context schedule task can be run, however when you use GP preference, the task will be created on clients through security context of system account as GP preferences by default would run through system account
MaheshArchitectCommented:
If u could explain how could you resolved issue ?
PeteAuthor Commented:
I didn't resolve it, i ended up not backing up permissions or ownership, and not using a scheduled task to run the script. The project now runs the script at startup but hidden in the background and the restore script will sort out ownership etc when required....not the best.
McKnifeCommented:
You could have used the solution - why don't you?
PeteAuthor Commented:
I couldn't get the startup script, even when created manully for testing to run unless it was created to run with the SYSTEM account. Adding the Domain Computers group to the "Restore files and directories" user right on the backup server also made no difference to backing up security or ownership of the files.
McKnifeCommented:
That made no difference? That would surpise me. Will try to reproduce on monday.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.