Robocopy Polices Windows File Permissions
Copying files in Windows may not be as simple as you think. Ever tried copying or moving files from one file server to another? If so, you probably noticed that the permissions and ownership of files didn't carry over to the new server. There is a somewhat complex set of rules that determine when file permissions and ownership are copied to a new location. In this article we'll examine those rules and take a look at a Windows Resource Kit utility that is absolutely essential when you find yourself moving files around between servers and volumes.
With the NT file system (NTFS) on Windows NT/2000/XP/Vista we have the ability to set security permissions on individual files and folders, and track the creator of a file or folder through ownership. To the untrained eye it may seem mysterious as to why sometimes files and folder retain their permissions and ownership after being copied or moved, and sometimes they do not. The key elements of this equation are whether the file/folder was "copied" or "moved", and whether the files/folders where copied/moved within a volume/partition or between volumes/partitions. Here is a breakdown of the rules:
- When files are copied through Windows explorer or via the copy.exe command they will always take on the permissions of their new location, and the user account that performed the copy will become the owner.
- When files are moved from one location to another on the same volume/partition using Windows explorer or the move.exe command they will retain their permissions and ownership.
- When files are moved from one volume/partition to another volume/partition using Windows explorer or the move.exe command they will take on the permissions of the new location, and the user account that performed the move will become the owner. This includes moving files/folder from one server or workstation to another.
Note: You have to be careful when dragging files around using Windows explorer because it will take a guess as to whether you want "move" or "copy" files. There is a handy trick you can use to force Windows explorer to copy or move files/folders depending what you are trying to accomplish. Instead of left-clicking files/folders to move or copy them, try using a right-click instead. This will prompt you with the option to copy, move, create a shortcut, or cancel the operation completely. The option that is listed in bold font is the action Windows Explorer would have taken had you used a left-click instead of a right-click.
Robocopy by Example
Let's take a look at some examples. Say I have a folder at d:\userdata\bob and I want to copy it to d:\userdata_backup\bob on the same machine. User "bob" has been given modify access to d:\userdata\bob and he needs to be able access the backup copy of his folder as well. If you were to "copy" the data to d:\userdata_backup\bob then, by default, he would not have access to his backup. The systems administrator would have to manually grant access to the new "bob" folder in d:\userdata_backup. This may not seem like that big of a deal, but imagine how much fun it would be with 500 different user folders. "Moving" the files from d:\userdata\bob to d:\userdata_backup\bob would retain the modify permissions to the backup copy and allow Bob access to his files, but then his regular "userdata" folder would be gone. What if we want to store the backup copy of our "userdata" folder on e:\userdata_backup\bob? Whether we copy or move d:\userdata_backup\bob it will not retain Bob's modify permissions. The same is true if we wanted to copy or move d:\userdata\bob to another server. One solution to this dilemma is the Windows Resource Kit "robocopy.exe" utility.
Robocopy.exe is a powerful command line utility that allows administrators to retain permissions and ownership when copying files. It has an array of options and switches that give administrators ultimate flexibility when copying and moving files. You can copy all or some of a file/folder's attributes, and perhaps best of all, robocopy.exe will only copy files that have changed since the last copy. This makes robocopy.exe an excellent replication tool.
Below is an example of the robocopy.exe syntax that would copy d:\userdata\bob to e:\userdata_backup\bob and retain both permission and ownership information:
robocopy d:\userdata\bob e:\userdata_backup\bob /copyall /e
The "/e" ensures that all subfolders (including empty ones) are copied to the destination location. The "/copyall" tells robocopy to copy all file/folder attributes (including permissions and ownership) to the new location. Robocopy is also great if you want to setup a recurring task that backs up Bob's files every night. The following syntax would be used:
robocopy d:\userdata\bob e:\userdata_backup\bob /copyall /mir
The "/mir" is a combination of the "/e" and the "/purge" options. This essentially turns robocopy into a file replication service. It will only copy files that have changed each time that it is run, and because of the "/mir" option it will delete files and folders in e:\usersdata_backup\bob if they have been removed from d:\userdata\bob. Robocopy has many other impressive options that can be explored by running:
It's worth noting that robocopy.exe is not the only command line tool available to you for retaining permission and ownership information when copying files/folders between volumes and servers; "xcopy.exe" is also available. The only advantage of xcopy.exe is that is comes installed on Windows by default, whereas robocopy.exe must be installed via the Windows Resource Kit. Xcopy.exe does not have as many options as robocopy.exe and it will not skip copying files that are already up to date in the destination folder.
Copying and moving files with Windows explorer can be tricky if you want to retain file and folder attributes such as permission and ownership information. Luckily, robocopy.exe is a great tool that makes it easy to handle most situations that will inevitably arise.