[SOLVED] Copy folder, keep permissions - not as simple as it seems!

[seedubya]

So, I have a quite complex folder structure that is shared out on a single share and access is controlled by NTFS permissions for various groups.

In one set of folders, lets say it's called "Projects" I have a Project_Template Folder that needs to be copied very regularly, multiple times per day. The copy is then renamed with the appropriate project name. The copy folder must have the same permissions as the Template, some of which are custom and NOT inherited.

This is trivial when logged in locally to the server as an administrator - I just use XCOPY with the appropriate switches. However, I need the Project Managers group to be able to copy this as and when they need to, via the share itself. I tried using a batch file stored in the root of the folder but I can't use this because, of course, cmd.exe doesn't have the correct permissions to do the job.

Any thoughts? It's a bit urgent BTW! Can I give cmd.exe the appropriate permissions via GPO or roll them out via Labtech, perhaps?

 

[phaZed]

Could Robocopy with the /SEC switch help?

https://community.spiceworks.com/to...tain-file-and-share-permissions-with-robocopy

https://social.technet.microsoft.co...obocopy-copy-shared-folder?forum=winservergen

 

[trevm999]

If you give users the ability to launch an admin cmd you're compromising the security of your server.

You might be able to have users trigger a scheduled task that copies the folder using an admin account, but you would also have to figure out a way to pass along the new project name.

Alternately, I believe you can create a Powershell instance with specific permissions that other users can access, but I don't know much about how you set that up and it's capabilities/limitations.

 

[seedubya]

@phaZed I haven't been able to figure out how, unfortunately.

@trevm999 I agree with the admin cmd comment. I had thought about the scheduled task but I've no idea how I would do that - I'd need to make it both simple and automated. I hadn't thought about Powershell - I'll see if I can find out any more.

I was also considering trying to automate this with Labtech - something like when a ticket is received with the title "create new client folder" then LT runs a script to create a new folder. There would be a delay, I suppose, but being new to LT I'm struggling with it. It's just VAST.

 

[AndyM]

I found this:
https://confidentialfiles.wordpress.com/2014/03/13/copying-ntfs-permissions-between-folders/

And also this:
robocopy "C:\test" "C:\target\test" /E /ZB /COPYALL /R:1 /W:1

Hope it helps.

Andy

 

[trevm999]

@phaZed I haven't been able to figure out how, unfortunately.

@trevm999 I agree with the admin cmd comment. I had thought about the scheduled task but I've no idea how I would do that - I'd need to make it both simple and automated. I hadn't thought about Powershell - I'll see if I can find out any more.

So you could create a powershell script that copies the template folder with permissions with a new folder name that it finds in a text file somewhere on the computer.

You then set a scheduled task to run that script with admin permissions when a certain event is written to the event log.

Next you create a powershell script that the user will run. When they run it, it popups up a GUI text input box where the put in the the new folder name. The script then writes that name to the text file the first script uses to get the name. The script then writes that event to the event log which triggers the scheduled task.

If you wanted to get real fancy you could try to write the new folder name to the event log instead of a text file, and then get the other script to read the name from the event log

 

[trevm999]

***NOTE*** I have not 100% tested these scripts so I don't know if they will do what you would need them to

The first script would look something like this

$newfoldername = Get-Content C:\Folder\name.txt
$newfolderpath = "C:\$newfoldername"
$templatefolder = "C:\Template_Folder"


Copy-Item -Path $templatefolder -Destination $newfolderpath

Get-Acl -Path $templatefolder |
Set-Acl -Path $newfolderpath

and then the second one like this

#Load .NET GUI box
[void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')

$ErrorActionPreference = “Stop”

$newfoldername = [Microsoft.VisualBasic.Interaction]::InputBox('New Folder Name', 'Name')


Set-Content C:\Folder\name.txt -Value "$newfoldername"

try
{
    Write-EventLog -LogName Application -Source "Foldercopy" `
    -EntryType Information -EventId 1 -Message "$newfoldername"
}

catch
{
    New-EventLog -LogName Application -Source "Foldercopy"
 
    Write-EventLog -LogName Application -Source "Foldercopy" `
    -EntryType Information -EventId 1 -Message "$newfoldername"
}

And it probably wouldn't be too hard to get rid of the messy txt file and just use the event log

 

[trevm999]

err, the second script above wouldn't quite work, you would have to run it as admin the first time in order to create a new event log source, because a standard user can't do that, but then it should would find afterwards

 

[trevm999]

Get-EventLog -LogName Application -Source Foldercopy -InstanceId 1 -Newest 1 |
Select-Object -ExpandProperty Message

That's how to get the name from the event log instead of the txt file

And there is a ComputerName option for Write-EventLog so they could run it from their computer to make the event on the server

 

[Moltuae]

And also this:
robocopy "C:\test" "C:\target\test" /E /ZB /COPYALL /R:1 /W:1

That's how I usually do it.

According to my notes, this works ...

*NOTE: Omit /lev:2 to copy sub-folders too

Example (Copy 'Users' folders to 'UserData' folder):

robocopy C:\Users C:\UserData /e /z /SEC /xf * /lev:2

 

[lcoughey]

You can try roadkil's unstoppable copier

 

[trevm999]

That's how I usually do it.

According to my notes, this works ...

*NOTE: Omit /lev:2 to copy sub-folders too

Example (Copy 'Users' folders to 'UserData' folder):

robocopy C:\Users C:\UserData /e /z /SEC /xf * /lev:2

I tested this just to see, and it didn't work with a standard user account.

 

[trevm999]

And there is a ComputerName option for Write-EventLog so they could run it from their computer to make the event on the server

Well, trying to run it remotely as a non-admin looks like it would be a problem, the solution might be creating a whole new log instead of using the application log and tweaking the permissions for that

 

[Moltuae]

I tested this just to see, and it didn't work with a standard user account.

I'll be honest, I didn't read that part if the OPs post ... it was a bit of a late, last-thing quick reply last night.

Should be possible for a standard user to run it though, using the usual Scheduled Task trick (i.e create a shortcut to a Scheduled Task that runs a batch file as an admin).

 

[trevm999]

I'll be honest, I didn't read that part if the OPs post ... it was a bit of a late, last-thing quick reply last night.

Should be possible for a standard user to run it though, using the usual Scheduled Task trick (i.e create a shortcut to a Scheduled Task that runs a batch file as an admin).

I am assuming that he doesn't necessarily want them to have to log into the server in order to do it, so then we have the problem of triggering the task remotely. Which I think gives us the requirements of giving them some remote powershell access to the server, and with my method, access to an event log to write to. Instead of using the event log, they might have permission just to run the scheduled task from powershell, in which case the method of passing the name they want for the new folder to a txt file could work.

 

[Pierre POMMIER]

This happened because that folder is old.

 

[seedubya]

I just wanted to say a big Thank you to everyone who contributed.

So, I was completely over complicating this. The actual solution was Robocopy. The exact solution was to simply map the drive to a client machine, ensure the logged on user had exec rights to the the batch file. The functional line of the batch file was

robocopy path_to_foldertree path_to_destination /mir /sec

For me this translated to something like

robocopy o:\projects\project_template o:\projects\new_project /mir /sec

which created a copy of the template folder tree with all permissions intact.

Drama over!

 

[NETWizz]

I second or third etc... RoboCopy.

Personally, I like this GUI
https://technet.microsoft.com/en-us/library/2006.11.utilityspotlight.aspx

I know it is a Decade old, but it has always worked like a champ for me...

This is a log file from an actual copy I did way back in 2011. If you want to verify it is still running, you can open Task Manager.

If you want to see it's progress, use something like CMTRACE, which will show you the TAIL end of the file.


-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------

Started : Sat Aug 27 19:27:44 2011

Source : \\SERVERNAME\apps\
Dest : D:\APPS\

Files : *.*

Options : *.* /V /S /E /COPYALL /ZB /NP /R:10 /W:30

------------------------------------------------------------------------------