none
Copy files with owner rights problem :/ RRS feed

  • Question

  • Hello together,

    here's a short description of my problem:

    We've got a fileserver with several folders and mapped drives (e.g. home, dep, etc.) and we're about to move all files to a new storagesystem. Not as usual we don't have administrator rights at our domain (complicated situation, please don't discuss it here). The AD admins granted us a special user, let's call him 'Jim' which has read access to all files and folders.

    We started with a temporary folder, where each user got his own subfolder named after his last name. After the copy process the owner of all files changed to Jim! And we're not able to get it back to the original once.

    We've tried robocopy as well as Richcopy, both without success. I think we need the "management auditing userright" for copy the owner information, at least that's what robocopy told us as we tried several parameters.

    -------------------------------------------

    Sorry but I'm confused by this logic. I'm able to read everything and got the local admin rights on my storage but I'm not able to set the new rights after my copyjob? And why does the ownership change after the initial copy to Jim?? 

    So, if anyone can just tell me if I'm right with my suggestion that we need these rights or does someone know a better maybe simple solution?

    Thanks in advance
    Cheers
    Sascha

    Monday, March 31, 2014 1:37 PM

Answers

  • I don't think this is the best place for your question because it has to do with file and folder security, not scripting.

    When you copy files they inherit the permissions in their new directory structure, including ownership.  If you move files they retain their permissions, assuming they are moving to a file system that supports the same permissions.  And whoever is doing the moving needs to have 'modify' privileges in the target directory, I believe.

    I'm not as familiar with robocopy, but that particular right does not exist in terms of file and folder security.  To copy the files and be able to set ownership I think you would need pretty much every privilege in the advanced security options except for full control.


    I hope this post has helped!

    Monday, March 31, 2014 1:57 PM

All replies

  • I don't think this is the best place for your question because it has to do with file and folder security, not scripting.

    When you copy files they inherit the permissions in their new directory structure, including ownership.  If you move files they retain their permissions, assuming they are moving to a file system that supports the same permissions.  And whoever is doing the moving needs to have 'modify' privileges in the target directory, I believe.

    I'm not as familiar with robocopy, but that particular right does not exist in terms of file and folder security.  To copy the files and be able to set ownership I think you would need pretty much every privilege in the advanced security options except for full control.


    I hope this post has helped!

    Monday, March 31, 2014 1:57 PM
  • Try using robocopy.exe with the /COPYALL parameter.  This tells robocopy to include NTFS ACLs (including audit entries) and ownership information when performing the copy (in addition to the data, attributes and timestamps, which are the default behavior.)
    Monday, March 31, 2014 2:09 PM
  • There's the problem I don't like to copy the other information, I only need the Owner.

    I've got full control and access to the target system. But I always got the error message: You do not have the Manage Auditing user right

    Considering to our AD admin I have these rights already ...

    Here some more details:

    The user I'm working with is an extra user just for the copyjobs, so he is not the owner of the origin files and shoulnd't be the owner after the copyjob.

    Maybe this describes my problem a bit better.

    • Edited by schakal007 Wednesday, April 2, 2014 10:47 AM
    Wednesday, April 2, 2014 10:33 AM
  • Ahh, I'm guessing you might need either SeAuditPrivilege or SeTakeOwnershipPrivilege which can be granted to a local system with NTRights:

    http://support.microsoft.com/kb/315276

    Or through GPO, Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment.  Either backup and restore, take ownership of files and other objects, or possibly manage auditing and security events because it sounds like what you're being prompted for, but I'm dubious on that one.  

    Just because you're domain admin doesn't mean default privileges haven't been replaced on a target directory.  While you would always be able to ultimately take ownership and restore permissions, that wouldn't translate with a tool like robocopy.


    I hope this post has helped!

    Wednesday, April 2, 2014 11:17 AM
  • There's the problem I don't like to copy the other information, I only need the Owner.

    I see.  In that case, try robocopy with the /COPY:O parameter instead of /COPYALL .  Assuming you've been granted the proper user rights and permissions, robocopy.exe should take care of all the token elevation that's required.
    Wednesday, April 2, 2014 12:05 PM
  • Ahh, I'm guessing you might need either SeAuditPrivilege or SeTakeOwnershipPrivilege which can be granted to a local system with NTRights:

    http://support.microsoft.com/kb/315276

    Or through GPO, Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment.  Either backup and restore, take ownership of files and other objects, or possibly manage auditing and security events because it sounds like what you're being prompted for, but I'm dubious on that one.  

    Just because you're domain admin doesn't mean default privileges haven't been replaced on a target directory.  While you would always be able to ultimately take ownership and restore permissions, that wouldn't translate with a tool like robocopy.


    I hope this post has helped!

    The GPO has too be applied on the target system and not the source system.


    ¯\_(ツ)_/¯

    Wednesday, April 2, 2014 1:12 PM
  • If this is a full time production solution you should consider using DFSR.  RoboCopy is really only for temporary mirroring.

    See: http://msdn.microsoft.com/en-us/library/bb540025(v=vs.85).aspx

    DFSR is able to do all replication with no user account as it is a network wide service.  It is already running in the domain on all DCs.


    ¯\_(ツ)_/¯


    • Edited by jrv Wednesday, April 2, 2014 1:15 PM
    Wednesday, April 2, 2014 1:14 PM
  • Sorry but DFSR isn't an option :/ The "old" DFS isn't in our hand and the new system (NetApp) will be administrtated by us.

    All I need is a way to sync the original ownership to the new copied files without to be the original owner.

    There has to be some way :/ 

    Wednesday, April 2, 2014 1:28 PM
  • You need more than owner or the files will likely be unmanageable.

    Backup and restore will move all security if you have backup/restore privilege.


    ¯\_(ツ)_/¯


    • Edited by jrv Wednesday, April 2, 2014 1:46 PM
    Wednesday, April 2, 2014 1:45 PM
  • You need more than owner or the files will likely be unmanageable.

    Backup and restore will move all security if you have backup/restore privilege.


    ¯\_(ツ)_/¯


    I think we should try to clarify.

    To copy the security your account has to have the rights and the token must be enabled.  RoboCopy, as noted by David, manages the token if your account has the rights.  You still need the permissions on the remote system.  Your account must have Full control of the target folder and it must have backup/restore/audit permissions on the remote system.


    ¯\_(ツ)_/¯

    Wednesday, April 2, 2014 1:51 PM
  • Sorry guys but didn't work either with the full AD admin rights! :/ Still the same problem. BTW the source dfs systems are W2k3R2 and the destination is a NetApp 3250 with the newest version of OnTap, it acts like a Windows fileserver.
    Thursday, April 3, 2014 5:47 AM
  • I didn't think it would work. You do not have full admin rights on the target file server. Contact the vendor for instructions on how to set up to do what you are trying to do.

    I have seen this before.  The vendor of the NAS box usually comes through with a work around or a patch.  Unix flavors are particularly tricky to get working.


    ¯\_(ツ)_/¯

    Thursday, April 3, 2014 5:58 AM
  • No, sorry. We're using NTFS only neither unix nor mixed mode. 

    As far as I can see, there is no possibility to copy the owner information if Jim isn't the owner or in the ownergroup. Maybe this works as designed?

    Friday, April 4, 2014 6:26 AM
  • No, sorry. We're using NTFS only neither unix nor mixed mode. 

    As far as I can see, there is no possibility to copy the owner information if Jim isn't the owner or in the ownergroup. Maybe this works as designed?

    Are you saying the remote NAS is a Windows file server or is it a NAS device that emulates a windows file server? if it is a Windows based files server then there is no reason for you to have any issues if you have full ownership or have backup privileges.

    If this is a Windows device then DFSR would be the best way to set it up.  DFS does not care about permissions once the share has been accepted under the DFS system.

    You said originally that the files server was a NetApp emulating a Windows File Server. NetApp is a Unix based appliance.  If that is the case then you need to contact NetApp to learn how to set up the target correctly.  It cannot be resolved by scripting.

    +


    ¯\_(ツ)_/¯

    Friday, April 4, 2014 11:30 AM
  • It's how I said in the beginning, the NAS 3250 acts as a Windows server, I know it emulates NTFS and that Liunx is running on it. DFS isn't an option for us. 

    In the end I opened a ticket at NetApp. If I've got response I will write here what could solve the issue.

    Wednesday, April 9, 2014 10:14 AM
  • It's how I said in the beginning, the NAS 3250 acts as a Windows server, I know it emulates NTFS and that Liunx is running on it. DFS isn't an option for us. 

    In the end I opened a ticket at NetApp. If I've got response I will write here what could solve the issue.

    As I posted before.  I it is a Linux box you need to be sure the account you are using is set correctly on the Linux box.  This has to be done at the NAS or with the remote NAS web site. 

    The NAS vendor will help you understand how to use this device.  There are many versions of this NAS.


    ¯\_(ツ)_/¯

    • Proposed as answer by jrv Tuesday, April 15, 2014 8:50 AM
    Wednesday, April 9, 2014 10:39 AM
  • Yes I know and it's set correctly. I haven't installed or configured by myself. It was done by an servicepartner which is specialised in NetApp. I already opened a ticket at NetApp over our partner. Will post the answer if I got it.
    Tuesday, April 15, 2014 6:56 AM
  • Yes I know and it's set correctly. I haven't installed or configured by myself. It was done by an servicepartner which is specialised in NetApp. I already opened a ticket at NetApp over our partner. Will post the answer if I got it.

    As noted above.  This is not a scripting issue.  It is a vendor/product related issue.

    Good luck.


    ¯\_(ツ)_/¯

    Tuesday, April 15, 2014 8:51 AM