robocopy without admin user

**peterpam** · October 19th, 2003, 11:35 AM

Hi there someone!
Does anyone knows what would bee the best way to perform a robocopy operation - copy a folder structure with the NTFS security settings from one server/domain to an other - without giving the user admin permissions?
It woul realy help me, cause i think this would save me a lot of work!

Thanks in advance

**peterpam** · October 19th, 2003, 11:38 AM

I am thinking maybe a startup script with the /sec and the /at switch, but that would still demand me to change the scheduler service in every server to use another user than the system account....

HELP!

**confus-ed** · October 23rd, 2003, 09:54 AM

So go on then, I'll bite ... what are you trying to do ? Other than defeat NTFS's security settings - because I can't see that you can transfer ALL child permissions CORRECTLY without being 'top of the tree' ?

You could just write a batch file & use 'runas', but that means exposing administrator details, so you might as well let them be an administrator, but I understand there are ways to hide that, I've never tried any of them, so have a look at this :- Some info on Runas which might be helpful

**peterpam** · October 23rd, 2003, 01:55 PM

Originally Posted by confus-ed

So go on then, I'll bite ... what are you trying to do ? Other than defeat NTFS's security settings - because I can't see that you can transfer ALL child permissions CORRECTLY without being 'top of the tree' ?

You could just write a batch file & use 'runas', but that means exposing administrator details, so you might as well let them be an administrator, but I understand there are ways to hide that, I've never tried any of them, so have a look at this :- Some info on Runas which might be helpful

Hi Confus-ed
Thanks, but the problem is solved.

The situation happened in a big entreprise migration to 2003, with very high security standarts. We needed to give a simple script in a diskette to a group of guys, that would make a copy of all the personal folders (redirection of My Documents and Desktop) in an NT file server to a brand new 2003.
The question complicated even more with the necessity to preserve (copy to the new domain) the NTFS and Share permissions of all the personal folders, that had all the option 'inherit permissions from parent folder' already desactivated.
Worst: top people didn't allowed us to give the technichians who would do the job backup permissions or power user permissions....(with backup tool would bee so simple...)

The solution came from a batch file - there were 130 servers from diferent locations! - that me and my colegues have cooked: as entreprise administrators we runed a batch file that used the 2003 resource kit tools SUBINACL and CACLS, and we were able that way to give read permissions on all the folders to a new user specialy created (and later erased) for that group of non-informed tech's

This way, they've just made boot from the diskette, and ROBOCOPY, another r.k.tool, tooked care of the things.

At last, later on the destination server, we runned the batch again, slightly changed just to do the oposite, remove the permissions to that user. That way the structure of permissions remained the same, and we had gave the minimum amount of wrights to thouse tech's.

PROBLEM SOLVED!
(i must bee honest.... i have some more white hairs just because of the night we had to spend thinking on the problem!!

Greetings

**Ya_know** · October 23rd, 2003, 02:37 PM

That sounds like a kick a$$ resolution! Great job!

**confus-ed** · October 26th, 2003, 06:55 AM

Originally Posted by Ya_Know

That sounds like a kick a$$ resolution!

Sounds like I ain't an NT adminstrator, and maybe there's some stuff out of that job I 'should' know ... these ain't 'new' stuff at all ...

we runed a batch file that used the 2003 resource kit tools SUBINACL and CACLS

Some links then for 'next time' ... SUBINACL.exe (NT 4 Server Resource kit supplement 3)

CACLS.exe

However thanks for indicating the method

**peterpam** · October 26th, 2003, 11:01 AM

[QUOTE=confus-ed]Sounds like I ain't an NT adminstrator, and maybe there's some stuff out of that job I 'should' know ... these ain't 'new' stuff at all ...

Your welcome YahhhNow! As always!

As for you confused one....

Sounds like you are an NT administrator, from a slow, slow enterprise....
(look at reply's dates...)

Never the less, thanks confus-ed

OVER-AND-OUT

**confus-ed** · October 26th, 2003, 11:39 AM

I see things have as usual got confus-ed.

I'm not an NT adminstrator, if I had been I ought to have known about those tools, I'm an independant contractor & I do everything fropm pc builds to databases, I thought Ya_know was an admin, he's always wittering on about the joys of NT4 ... my comment was aimed at him hence the quote, not you (peterpam).

I was seeking to correct the impression that the tools you used were 'new' in server 2003, nothing else.

No doubt I'm about to get some flak from Ya_know now .... but you never gave enough info to answer, as I can see now, it so I don't blame him either, he probaly thought much as I did from the initial question, he only said the answer was good after all ... I know you can do all this re-grant of permissions stuff with unix, but I've never had cause to try with NT networks.

**Ya_know** · October 27th, 2003, 09:53 AM

Sure Confus-ed, the tools may have existed for years, but in most daily circumstances they are not used unless facilitating this type of migration, of which I have not participated in yet. So I was particularly intrigued, hence my reply.

I still don't know if this was a direct attack at me, or an effort to make yourself feel better. Either way I tend to think the chip is on your shoulder, not mine.