NTFS Security Settings

Use this forum for help with AISBackup
Post Reply
JeffBuckles
Posts: 21
Joined: Sun Jul 02, 2006 9:25 pm

NTFS Security Settings

Post by JeffBuckles »

Edited to add:
Running AISBackup version 2.8.0.385 on Windows XP SP3.
Backup destination is external USB hard drive.


AISBackup version I seem to be confused by the NTFS security settings. Our company is changing windows domains. So I backed up while logged-in as the old user "DN\ux" (domain "N" user "x"). Then after the new profile was created I logged in as the new user "DR\ux" to restore. When I restore I always select to "Replace Duplicates" and to "Restore NTFS Security Settings".

However, it seems, whereas all files are restored as owned by the old domain user (expected) some directories are restored as owned by the old domain user (DN\ux) and some are restored as owned by the new domain user (DS\ux).

I should note that both old and new user accounts are members of the local Administrators group and I have full rights to set file ownership and permissions, which I have successfully done outside of AISBackup. I am not, however, a member of the Domain Administrators group.

Do you have any idea why the restored directory ownership would be inconsistent this way? Might it have to do with whether the directory has explicit permissions or inherited -- though I don't see how that would affect ownership.

Thank you and Best Regards,
-- J
JeffBuckles
Posts: 21
Joined: Sun Jul 02, 2006 9:25 pm

Post by JeffBuckles »

Confirmed that two original directories with identical permissions (as reported by cacls) come out different when I restore as a different user:

(ls command output created in cygwin shell to show file ownership)

Original ( before backup )

Code: Select all

drwx------+ 1 user-N group-N 0 Jan  2  2009 dir-1/
drwx------+ 1 user-N group-N 0 Sep 29 14:51 dir-2/

C:\Documents and Settings\user-N\dir-1 dom-N\user-N:F
                                         dom-N\Domain Users:(special access:)
                                                            READ_CONTROL
                                                            FILE_READ_EA
                                                            FILE_READ_ATTRIBUTES
 
                                         Everyone:(special access:)
                                                  READ_CONTROL
                                                  FILE_READ_EA
                                                  FILE_READ_ATTRIBUTES
 
                                         dom-N\user-N:(OI)(CI)(IO)F 
                                         NT AUTHORITY\SYSTEM:F 
                                         NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
                                         BUILTIN\Administrators:F 
                                         BUILTIN\Administrators:(OI)(CI)(IO)F 

C:\Documents and Settings\user-N\dir-2 dom-N\user-N:F
                                           dom-N\Domain Users:(special access:)
                                                              READ_CONTROL
                                                              FILE_READ_EA
                                                              FILE_READ_ATTRIBUTES
 
                                           Everyone:(special access:)
                                                    READ_CONTROL
                                                    FILE_READ_EA
                                                    FILE_READ_ATTRIBUTES
 
                                           dom-N\user-N:(OI)(CI)(IO)F 
                                           NT AUTHORITY\SYSTEM:F 
                                           NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
                                           BUILTIN\Administrators:F
                                           BUILTIN\Administrators:(OI)(CI)(IO)F 
Backup from C: to USB drive executed while logged-in as "user-N".
Restore to new, empty directory while logged in as "user-S".
Select "Restore NTFS Security Settings"
Now, the same two directories have different permissions:

Code: Select all

drwx------+ 1 user-N group-N 0 Jan  2  2009 dir-1/
d---------+ 1 user-S group-S 0 Sep 21 11:59 dir-2/

G:\TmpRstr\Documents and Settings\user-N\dir-1 dom-N\user-N:F
                                              dom-N\Domain Users:(special access:)
                                                                 READ_CONTROL
                                                                 FILE_READ_EA
                                                                 FILE_READ_ATTRIBUTES
 
                                              Everyone:(special access:)
                                                       READ_CONTROL
                                                       FILE_READ_EA
                                                       FILE_READ_ATTRIBUTES
 
                                              dom-N\user-N:(OI)(CI)(IO)F 
                                              NT AUTHORITY\SYSTEM:F 
                                              NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
                                              BUILTIN\Administrators:F 
                                              BUILTIN\Administrators:(OI)(CI)(IO)F 

G:\TmpRstr\Documents and Settings\user-N\dir-2 dom-N\user-N:F
                                                dom-N\user-N:(OI)(CI)(IO)F 
                                                NT AUTHORITY\SYSTEM:F 
                                                NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
                                                BUILTIN\Administrators:F
                                                BUILTIN\Administrators:(OI)(CI)(IO)F 
My expectation is that with "Restore NTFS Security Settings" checked, both directories should have restored with owner and permissions same as "dir-1". The fact that "dir-2" restored as the current user would seem to be the anomaly. I can find no apparent reason why one dir restores as the original user (correctly restored NTFS security settings) and one restores as the current user executing the restore. Any ideas or suggestions would be greatly appreciated.

Thank you and Best Regards,
-- J
Barry
Site Admin
Posts: 1529
Joined: Tue Aug 20, 2002 3:16 pm

FolderNTFS settings

Post by Barry »

AISBackup does not restore folder NTFS security settings if a folder pre-exists, could this be the problem?

Some tests will be run ASAP.

I know that AISBackup does restore the security settings correctly for new files, however replacing duplicates needs to be checked, if you delete a known duplicate does the restore work then?

There may be a problem restoring security information when restoring to a new domain as the security settings may be incorrect, using the GUI security properties I have often noticed incorrect security settings in the list as signified by a question mark on the setting. When restoring to a new computer or domain it is probably best not to restore the security settings - but then you may have to do a considerable amount of manual security setting.

Some security settings are stored as inherited from the owner, e.g. the folder containing the files and folders.

If possible please supply a list of file and folder security settings from Domain A so that I can set-up the same here, I will then restore these files and folders to Domain B to see for myself the problem. I will then try and interpret the security settings as stored by AISBackup.

BTW: AISBackup uses the Microsoft Application Programmers Interface (API) BackupRead and BackupWrite to backup and restore the security settings.

http://msdn.microsoft.com/en-us/library/aa362512

Barry
Last edited by Barry on Thu Oct 14, 2010 9:39 am, edited 1 time in total.
JeffBuckles
Posts: 21
Joined: Sun Jul 02, 2006 9:25 pm

Post by JeffBuckles »

Hi, Barry,
Thanks for the info.

All of the restorations are into empty directories.

> you may have to do a considerable amount of manual security setting.
Exactly. That's what I hope to avoid.

It may take a while to create a list for a test case.
However, there is a lot of good information in the link, and the API has one restriction in particular having to do with the SACLs that I need to check. I'll let you know if I find anything interesting.

Thanks and Best Regards,
--
Post Reply