0



We are migrating 4 shares from NetApp to Windows 2016 File Server using following Robocopy command. 'Share Perms' on both sides are 'Everyone, Full Control' and expecting Robocopy to copy over 'NTFS Security Perms'.

NetApp is in Production, working well and we need to keep same access/permissions. Permissions are super messy, where every folder inside a top level share does have different permissions.

Ran Robocopy command multiple times and data copy was completed(no errors). Not happy with the perms, some of the folders have correct perms and some not allowing admin account to view perms. After retries, I saw correct perms for few of the folders but not all.

Am I missing anything here? Really appreciate the help.

robocopy "\\10.xxx.xxx.xxx\ShareProd" "\\10.xxx.xxx.xxx\ShareProd" /E /ZB /COPYALL /FFT /r:1 /w:1 /MT:64 /TEE /LOG+:C:\RoboLogs\DataCopy.txt
Makhu
  • 35
  • 1
  • 1
  • 9

1 Answers1

1

/COPYALL switch is actually /COPY:DATSOU which is Data, Attributes, Timestamps, Security, Owner, and Auditing. The (S)ecurity is actually the NTFS ACLs. So if you want everything but the permissions, remove the S, /COPY:DATOU ; else remove the /COPYALL switch entirely which defaults to /COPY:DAT

spacenomyous
  • 1,319
  • 6
  • 15
  • Thank you for the prompt response. We definitely want (S) flag to copy permissions and robocopy did finish properly with COPYALL. We want exact mirror like-for-like on destination, but permissions are not copied properly(unlikely) OR something else is wrong(need to find out). – Makhu Aug 21 '18 at 12:09
  • 1
    There's two sets of permissions, the Share permissions which is usually Everyone:Full and then the NTFS perms which are locked down to the user. If you trust the copied permissions and simply need to ensure access by the local admin, use icacls to add the NTFS perms needed. icacls /grant Administrators:F /t – spacenomyous Aug 21 '18 at 13:51
  • Thanks a ton again for super prompt response. Used 'icacls' and 'subinacl' to confirm Share/NTFS perms for top level share and subfolder on both sides and they are exactly identical, which is what we want. But getting this error, while trying to access from Win Explorer(On the data copy server using same account as migration) "Windows Cannot Access \\10.xxx.xxx.xxx\Share1\Subfolder1" – Makhu Aug 21 '18 at 15:04
  • 1
    What do the ACLs say for that specific folder? Is the account / group listed with permissions? If not, who's the owner? Do these happen to be user profiles? If you don't have access, you need to take ownership of the folder and add the permissions you want for the destination before the copy. – spacenomyous Aug 21 '18 at 15:13
  • Data Copy Server and Win Server exporting shares are the same. Only 'Domain Admins' is having perms to some folders and logged in/migration account is said to be part of 'Domain Admins'. When I actually clicked 'G:\ShareProd', I get access denied and prompted to add Perms. Migration account then gets added separately giving me access to particular dirs/folders. – Makhu Aug 22 '18 at 00:54