3

I am in the process of migrating all the data from one (1 TB) volume (not C:) on an AD server to a new 4 TB one. I have copied all the data including the FolderRedirection and Profile stuff.

I am just in the process of cloning the security ACL's with a little bit of PowerShell. Can anyone point me in the right direction on how to log the output to a file so i can review it and make sure nothing failed to write?

copypermissions.ps1

dir E:\Data -r | where {$_.PSIsContainer} | foreach { 
  $target= ($_.fullname).replace("E:","G:") 
  Get-Acl $_.Fullname | Set-Acl $target 
}

Using the -whatif flag on the end of the Set-Acl command shows that it will try and do what i want it too but when i actually run it on a test folder not everything is copied and i get a couple of errors on the console looking like:

Set-Acl : The security identifier is not allowed to be the owner of this object.

At E:\copypermissions.ps1:3 char:32 + Get-Acl $_.Fullname | Set-Acl <<<< $target + CategoryInfo : InvalidOperation: (G:\Data\Profiles*USERNAME*:String) [Set-Acl], InvalidOperationException + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand

I am really looking for a simple 1 liner to add to the end of the script that will write any errors to a log file.

SimonJGreen
  • 3,205
  • 5
  • 33
  • 55
JTotham
  • 112
  • 8

3 Answers3

3

Robocopy is a copy utility that is included with the recent versions of Windows (it was previously a resource kit tool that you needed to download). It will copy your files and the ACLs when certain switches are enabled.

To copy an entire folder tree with security from the old drive to the new drive, you would run the following command from a command prompt or powershell window with Administrator rights:

Robocopy \\source \\destination /MIR /SEC /ZB

You can also run Robocopy in a way that will just apply security to files without copying data.

Robocopy \\source \\destination /SECFIX

To get more information on Robocopy, you can look at the following sources: http://ss64.com/nt/robocopy.html - Explanation of Robocopy Command Line switches http://support.microsoft.com/kb/323275 - Explanation of /SECFIX switch

smassey
  • 696
  • 5
  • 13
  • As the (fairly sizeable) copy job has already finished, is it possible to do the permissions using Robocopy retrospectively? – SimonJGreen Mar 11 '12 at 18:12
  • Cheers, is there a way i can use that to just clone the permissions or to diff the files and just do the permissions as all the files have already been copied and i dont want to want for the whole 1tb to copy again? – JTotham Mar 11 '12 at 18:13
  • Yes. I just posted an edit that includes that information. – smassey Mar 11 '12 at 18:13
  • I have just tried this and it seems like it should be working but when I check the folder permissions in my test folder the permisions haven't been copied. Here is the output from my test folders: – JTotham Mar 11 '12 at 18:27
  • ROBOCOPY :: Robust File Copy for Windows Started : Sun Mar 11 18:26:39 2012 Source : e:\test\ Dest : g:\test\ Files : *.* Options : *.* /S /E /COPY:S /SECFIX /R:1000000 /W:30 0 e:\test\ 0 e:\test\1\ 0 e:\test\1 - Copy\ 0 e:\test\1 - Copy - Copy\ 0 e:\test\1 - Copy - Copy - Copy\ Total Copied Skipped Mismatch FAILED Extras Dirs : 5 0 5 0 0 0 – JTotham Mar 11 '12 at 18:30
  • Are you running this from a command prompt or powershell window that says Administrator up in the upper left-hand corner? – smassey Mar 11 '12 at 18:31
  • I tried it from Admin Powershell 1st then again in Admin cmd, got the same thing in both. Seems to be skipping all the folders but im not sure why. – JTotham Mar 11 '12 at 18:34
  • This is the full command i am using, needed to add /E for it to do subfolders, and with just /secfix it told me to read up on it and to use /copy: - PS E:\> Robocopy e:\test g:\test /SECFIX /COPY:S /E – JTotham Mar 11 '12 at 18:36
  • Robocopy seems to work fine if i am copying fresh data but doesn't seem to update the ACL's for existing folders. – JTotham Mar 11 '12 at 18:49
  • What happens when you try this: robocopy source destination /secfix /xo /xn /xc – smassey Mar 11 '12 at 19:42
  • Which version of robocopy? "All versions of Robocopy will copy security information (ACLs) for directories, version XP010 will not copy file security changes unless the file itself has also changed" http://ss64.com/nt/robocopy.html – Robin Gill Mar 11 '12 at 22:29
3

To redirect just errors to from stederror to a regular output stream, put 2> (filename) on the end of your query. So it becomes:

dir E:\Data -r | where {$_.PSIsContainer} | foreach { 
  $target= ($_.fullname).replace("E:","G:") 
  Get-Acl $_.Fullname | Set-Acl $target 
} 2> errors.txt
Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
  • Cheers, just want i needed. I was still running into an issue that some of the src folders where not owned by 'Administrators' so when it tried to write the whole security descriptor it was trying to change ownership to a user the script was not running as (not allowed in windows). I adjusted my script to the following and it seems to have worked across the whole dataset. I also considered changing the owner on e:\data to 'Administrators' and applying the changes to the folder and all sub folders, this got rid of any chance that folders where owned by other users. – JTotham Mar 12 '12 at 09:37
  • 1
    My original script would prob have worked having reset the ownership, but this one seems to process lines much faster so i stuck with it.********************************************************************************************** dir e:\ -r | where {$_.PSIsContainer} | foreach { $target= ($_.fullname).replace("E:","G:") $AccessList = (get-item $_.Fullname).getaccesscontrol("Access") Set-Acl $target $AccessList -Verbose } 2> errors.txt – JTotham Mar 12 '12 at 09:38
  • 1
    If you really want to get to the simplest script, you could simplify it even more (totally un-tested): `dir e:\ -r | ?{$_.PSIsContainer} | %{ Set-Acl ($_.fullname).replace("E:","G:") $_.getaccesscontrol("Access") -Verbose } 2> errors.txt` – Mark Henderson Mar 12 '12 at 11:01
0

Using Robocopy (non resource kit version) you can follow this guide.

Correct syntax is ROBOCOPY /E /Copy:S /IS /IT <Source> <Target>.

SimonJGreen
  • 3,205
  • 5
  • 33
  • 55