19

Over the weekend I copied our company data from one hard drive to another larger one. I thought permission would have copied across but they haven't.

What is the best (and quickest) way to copy the permission that were originally set onto my new data, without having to copy all the data again? My users are now accessing the data so don't want to recopy the data as changes may be lost.

The data is hosted on windows server 2008 R2

Simon Foster
  • 2,572
  • 6
  • 36
  • 54

6 Answers6

19

I think this will do the work:

robocopy source destination /E /COPY:SOU /xo /xn /xc /xx /LOG+:F:\Sec.log.

"SOU" copies: S=Security info (NTFS ACLs), O=Ownership info, U=aUditing info

If this does not work you can use this command to back up NTFS permissions:

icacls d:\data /save ntfspermissions.txt /t /c

The /T switch allows it to get subfolder permissions too. The /C switch allows it to continue even if errors are encountered (although errors will still be displayed).

And then use this command to restore the permissions:

icacls d:\ /restore ntfsperms.txt

Note that in the command to save the permissions, I specified the target folder D:\Data, but when I restored them, I specified just D:\ as the target. You might think specifying D:\ as the target in the restore command may somehow mess up the permissions on other folders at that level, but as you can see from the ntfspermissions.txt output file, it only has information about the Data folder and subfolders, so that is all it will change.

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51
Kalatzis Stefanos
  • 548
  • 1
  • 3
  • 9
  • 2
    I think that icacls is the answer here. +1 – MDMarra Jul 02 '12 at 13:00
  • 1
    agreed. since he can't recopy data as the data is already in use and likely changed, icacls to export/import the permissions seems to be the best way to go. – Rex Jul 02 '12 at 14:22
  • 1
    Thanks for all your help, I am exporting icacls as I type and will try importing later. Next time I am going to remember to always check my permissions – Simon Foster Jul 02 '12 at 14:57
7

Using PowerShell:

Get-Acl 'source path' | Set-Acl 'destination path'
torvin
  • 255
  • 4
  • 12
  • 1
    I was looking for moreless the same. It seems to me this is a real answer. Other ones tell what to do before the copy, not after as asked – alvaroc Aug 26 '19 at 13:11
  • 2
    TBF: When the original was written in 2012, the answer using icacls was probably the best answer. Now that PowerShell has real power, this seems like the best/simplest way. It worked for me at least. Probably just saved me two hours of repetitive work setting permissions on new shared directories. – Capricorn1 Jul 19 '21 at 20:54
0

You can try using Robocopy. AFAIK it still works on newer Windows versions.

pritaeas
  • 119
  • 5
  • Do you know the syntax I need? I tried robocopy source destination /secfix /xo /xn /xc from the page above and it throws an error about not knowing which permissions to copy – Simon Foster Jul 02 '12 at 11:20
  • 1
    That's because robocopy will only work if the contents of the share is unchanged. It sounds like your users have probably changed it, right? I don't think that robocopy is the tool to use now (you should have used it in the beginning though) – MDMarra Jul 02 '12 at 11:48
  • That guide is for a very early version of robocopy. What version are you using now? You *may* be able to get away with a /copy:s now to only change the NTFS ACLs, but I'm not sure... I'll kick off a little test now. – HopelessN00b Jul 02 '12 at 11:57
0

Like Priaeas said, robocopy.

Handy reference guide for switches to use.

/copyall or /copy:DATSOU will copy "everything" (data, attributes, timestamps, NTFS ACLs, owner and auditing info).

/COPY:copyflag[s] : What to COPY (default is /COPY:DAT) (copyflags : D=Data, A=Attributes, T=Timestamps S=Security=NTFS ACLs, O=Owner info, U=aUditing info).

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • 1
    He specifically says that he doesn't want to copy the data. Also, robocopy will only copy security if the files haven't been modified. Since the share is in production now, I'd say it's a safe bet that it's changed. – MDMarra Jul 02 '12 at 11:46
0
xcopy e:\*.* z: /T /E /I /H /K /X /Y

e: was the root of a physical drive with several shares and all kinds of inheritance blocks dotted about. z: was the "new" drive, in this case a mapped drive.

It just worked, not for the shares, just the permissions.

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51
John Lamb
  • 9
  • 1
-4

CopyMik Freeware Program mit Keys:

/CSF[ FileMask1[ FileMask2[ ....]]]] Copy file security attributes. Only files with the specified mask. (default mask *)

/CSD[ DirMask1[ DirMask2[ ....]]]] Copy folder security attributes. Only folders with the specified mask. (default mask *)

http://www.superbasis.de/copymik/index.htm

user2290929
  • 1