1

I have Folder Redirection turned on so the profiles are on a Windows shared folder on a File and Print Server... \folders\Profiles

I want to back up the entire Profiles directory, but as Domain Admin I don't seem to have the privileges to "select all and copy" the entire directory structure. The user profile subfolders (Appdata, Documents, Desktop, Pictures, etc.) throw access denied errors...

I tried to grant Domain Admins full privileges to the Profiles directory and thought the subfolders would inherit the privileges, but I get access denied errors just trying to set the permissions...

How can I assign a user to the Profiles directory so that I can copy the entire directory tree to back it up?

Earls
  • 295
  • 1
  • 7
  • 21
  • Have you attempted a backup using actual backup software? – Joel E Salas Jul 07 '12 at 23:36
  • Attempting to use Goodsync to synchronize the directory to another shared folder threw the errors... I guess that technically isn't "backup", but I'd imagine either software program would require the necessary permissions? – Earls Jul 07 '12 at 23:40
  • Actually, dedicated backup software (such as Backup Exec) adjusts its own permissions appropriately as part of the install routine. I would suggest trying backup software before spending too much time changing permissions manually. – Joel E Salas Jul 08 '12 at 00:23
  • Joel: BackupExec sets specific user rights during installation. It does not set any permissions. User rights and file/folder permissions are two different things. There's no such thing as "user permissions". There are user rights (such as log on as a service) and there are NTFS and/or Share permissions (such as READ) that are applied to files and folders and granted to users or groups. – joeqwerty Jul 08 '12 at 03:47
  • So you can turn off Exclusive Access and set a GP entry that gives Domain Admins access to the folders... For new users. Now looking for a way add the Domain Admins security group without taking ownership of the existing folders which corrupts them. icacls as system user? – Earls Jul 08 '12 at 22:05

2 Answers2

2

Windows has a special backup privilege that allows applications to read anything, regardless of permissions. If you want to perform a backup, you want to use an application that makes use of the backup privilege.

Most if not all full-blown backup applications use the backup privilege, but there is a much easier way: run robocopy with the parameter /b.

Helge Klein
  • 2,101
  • 1
  • 16
  • 22
  • Additionally, seizing ownership allows you to set the permissions to whatever the hell you want, so Earls could take ownership, set the permissions on the directory tree "correctly" and then set ownership back. – HopelessN00b Jul 13 '12 at 22:41
0

Download PSTools from SysInternals.

Unzip PSTools.zip and from the PSTools directory, run the command:

psexec -i -s cmd.exe

A new command prompt window will open, running as the user SYSTEM.

Now run this command:

icacls "D:\Profiles\*" /grant "domain admins":(OI)(CI)F /T

Done.

Earls
  • 295
  • 1
  • 7
  • 21