2

I'm using robocopy to sync files between two different servers (one of them is not a Windows server but exposes Windows-like shares); but I'm having a permission issue.

I need to replicate all contents and also keep existing ACLs; I'm using a command like this:

robocopy.exe \\server1\share \\server2\share /mir /copyall

However, the user account which runs this command has only read access to some folders; this leads to an interesting problem: after the first sync, the same permissions are applied to the copied folders... and thus the user account loses write access to those folders and can't update them anymore.

Is there any way to avoid or fix this?

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • There is no fix because it's not broken. The behaviour you encounter is quite to be expected. What OS is the target system? – Daniel Dec 19 '16 at 19:22
  • Windows Server 2012 R2. And I know everything is working as it should... however the end result is unusable. – Massimo Dec 19 '16 at 19:46
  • The only thing I can think of is to use an Administrator or Backup user account and perhaps also pull the source from the target. – Daniel Dec 19 '16 at 20:11
  • I'm already pulling the source from the target, and I'm using a local administrator account; but the ACLs often don't include "Administrators", thus the user account can't access folders where it doesn't have explicit permissions. – Massimo Dec 19 '16 at 20:19
  • But the administrator can always access any file, regardless of the actual ACL. Are you running the script in elevated mode? – Daniel Dec 19 '16 at 20:21
  • 1
    No, and yes. The administrator can take ownership of files and folders and can reset ACLs, but can't acually access anything if the ACLs say "no". – Massimo Dec 19 '16 at 20:32
  • Unfortunately, changing ACLs after Robocopy is done would be useless here, because they would be reset on the next run (and also, because as soon as a folder is created with the wrong permissions, the user running Robocopy can't even copy its *contents* in it). – Massimo Dec 19 '16 at 20:33
  • 2
    Have you tried in backup mode? `/b`, or `/zb`, which uses the special backup privilege that allow it to bypass ACLs? – Zoredache Dec 19 '16 at 21:56
  • @Zoredache This effectively solves the issue; please post it as an answer, I'll accept it. – Massimo Dec 20 '16 at 07:54

1 Answers1

2

Robocopy includes an option /b that activates and uses the special Backup privileges that allow the process to bypass access controls. Assuming default rights assignments, you need to be running as an administrator, server operator, or backup operator to use this option. The /zb option tells robocopy to only use the backup mode when needed.

Zoredache
  • 128,755
  • 40
  • 271
  • 413