1

I copied two trees with robocopy, a source and a destination, with the intent of making their permissions exactly the same, I ran the following commands:

robocopy /MIR C:\Windows\System32\tasks\ C:\temp\robocopyTasks\out\

robocopy /E /Copy:S /IS /IT C:\Windows\System32\tasks\ C:\temp\robocopyTasks\out\

This article told me that the method above was the best way to do this on Windows Server 2003 with robocopy; in lew of there being a /SECFIX switch in the robocopy version that Server 2003 has.

I am testing it out on Windows 7 and diffing the output to make sure that the source has exactly the same permissions as the destination. I plan to do the same thing on Windows Server 2003 when I verify that it works right.

To diff them I run:

icacls "C:\temp\robocopyTasks\out\*" /save "C:\temp\robocopyTasks\acl\tasks_temp.txt" /T

and

icacls "C:\Windows\System32\tasks\*" /save "C:\temp\robocopyTasks\acl\tasks_win.txt" /T

and then I diff them using:

gvim --cmd "set fileencodings^=ucs-2le" -d C:\temp\robocopyTasks\acl\tasks_temp.txt C:\temp\robocopyTasks\acl\tasks_win.txt

When I diff the two files I notice that destination side is missing a A SID and also a missing hexidecimal code (0x1200a9 in the example below) that I have no idea what it does.

Example Diff:

Adobe Flash Player Updater
D:AI(A;;FX;;;SY)(A;;FR;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)

Destination

Adobe Flash Player Updater
D:AI(A;;FX;;;SY)(A;;FR;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-4105597198-2712133867-546259262-4010)

Source

Someone in the other question suggested it's some kind of network hiccup even though I'm copying the files on the same drive on the same machine. This OS has been through multiple admins and installed on multiple machines; so I don't know if that has anything to do with it. Is there any way to fix this?

leeand00
  • 4,807
  • 13
  • 64
  • 106
  • What account does that SID represent? If a local group/account on the source machine, thats your problem. If a domain group/account, does the destination machine trust the domain the SID originates from? – Clayton Apr 17 '15 at 18:35

1 Answers1

2

If it's an AD account, then by "network hiccup" I would mean that windows is having trouble looking up the account, which sometimes happens when there's a connectivity issue. It might also be that your account doesn't have the privileges to look up a domain account (being a local account, perhaps?).

However, my Adobe Flash Player Updater on my workstation is running as SYSTEM.

How you would fix it would most likely be to script the cacls command or the powershell set-acl command to set the permissions you want on the files in question. Set-ACL allows you to copy the security from one object to another:

PS C:\> $DogACL = get-acl c:\dog.txt
PS C:\> set-acl -path C:\cat.txt -AclObject $DogACL

so that might be your best bet, although PowerShell is not installed by default on 2003. There's nothing to stop you from installing it, though.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59