Backing Up Data -- Permissions Intact

Thursday Nov 21st 2002 by ServerWatch Staff
Share:

Jason Zandri's latest tutorial discusses how to use NTBACKUP to copy data to an alternate location and preserve NTFS permissions. The article explains how to back up data with all of the permissions intact and how to perform a restore.

By Jason Zandri
www.2000trainers.com

Using NTBACKUP to copy data to an alternate location and preserve NTFS permissions

[NOTES FROM THE FIELD] - Before we begin, the key thing that I want to stress on this HOW TO tutorial is that while it will explain how to back up data with all of the permissions intact and how to perform a restore, the one thing to remember is that in the situation where you restore to another system, only the domain accounts are going to hold their permissions and rights to the data entirely intact. The local accounts, if any, that were assigned rights to the data on the original domain member are going to be unknown to another domain member and those local accounts from the original system will not be able to access the data properly, if at all.

NTFS is the preferred file system for all computers running Windows 2000 and XP Professional. This version of NTFS is called NTFS 5.

If you are running Windows NT 4.0 Service Pack 4 or later, you can read basic volumes formatted by using NTFS 5 locally on dual boot systems. Windows 2000 and Windows XP Professional can read NTFS 5 on both basic and dynamic volumes.

[NOTES FROM THE FIELD] - Computers systems accessing either version of NTFS across networks are not affected. Version differences are usually only considered in local or dual boot situations.

The following NTFS features are available in version 5;

  • File and Folder Permissions
  • Encryption
  • Disk Quotas
  • File Compression
  • Mounted Drives
  • Hard Links
  • Distributed Link Tracking
  • Sparse Files
  • Multiple Data Streams
  • POSIX Compliance
  • NTFS Change Journal
  • Indexing Service

File and Folder Permissions Under NTFS

In short, File and Folder Permissions under NTFS are designed to allow administrators and data owners to set a level of access (or prevent one) to the data in question.

The Principal of Least Privilege is where users are given only the minimum level of permissions to the network resources needed to perform their given job function and nothing higher.

Using NTFS you can set permissions down to the file level, where under FAT16 or FAT32 this security is limited to shares only and has no effect when logging on interactively (locally on the system).

Some key points to remember are:

  • Creator Owners are assigned the Full Control permission to the data and objects that they create.
  • Partitions and volumes originally formatted with NTFS are automatically configured to assign the Full Control permission to the Everyone group at the root of the drive by default.
  • FAT16 and/or FAT32 partitions that are converted to NTFS are designed to assign the Full Control permissions to the Everyone group on all resources on that volume by default.

There are two types of permissions within the NT file system: Explicit permissions are the type specifically set on a given object; and inherited permissions are those gained from a parent container, such as a parent folder or organizational unit. The default behavior of the NT file system is to allow inheritance to child objects (folder, file or active directory object), from the parent folder or container.

Copying Files and Folders

Regardless of how an object gains its permissions, allowing it to keep them when being moved or copied is always an issue.

Some key points to remember are:

  • To copy files or folders within or between NTFS volumes, the user must have the Add permission for the destination folder at the minimum to perform the file copy.
  • The user who performs the copy will become the owner of the new file or folder.
  • When files or folders are moved within the same NTFS partition, they retain their permissions.
  • When files or folders are copied within the same partition or between NTFS partitions, or moved to another partition altogether, they inherit the permissions of the destination folder.
  • When files or folders are copied (or moved) to FAT16 or FAT32 volumes, they lose their NTFS permissions because FAT16 and FAT32 volumes do not support local permissions natively within the file system as NTFS does.

Moving Files and Folders

Some key points to remember are:

  • To move files or folders between NTFS partitions, the user must have the Add permission for the destination folder or file and the Delete permission for the source folder or file. The Delete permission for the source folder or file is required because the folder or file is deleted from the source folder once the move to the destination folder is complete.
  • When the folder or the file is moved to another partition, the user who performed the move will become Creator Owner.
  • When files or folders are moved within the same volume they retain their original permissions
  • When files or folders are moved across different volumes they inherit the permissions of the destination folder.
  • When files or folders are moved (or copied) to FAT16 or FAT32 volumes, they lose their NTFS permissions because FAT16 and FAT32 volumes do not support local permissions natively within the file system as NTFS does

Moving Files and Folders and Retaining Security Permissions

NTBACKUP can be used as a quick solution to copy or move selected data to a new location and retain all of the previously set NTFS permissions in a domain environment.

[NOTES FROM THE FIELD] - Again, the key thing I want to stress on this is that you can also do this outside of a domain environment, but because the local account database will not have any reference to any of the migrated account settings, all access to the data would be denied via these accounts.

The procedure to do this would be to start NTBACKUP from the start menu of the RUN window, which will bring up the Backup and Recovery Tools window.

(On a Windows XP system this is called the Backup Utility Advanced Mode and offers the Automated System Recovery Wizard, as shown below.)

I will continue with the Windows 2000 version, since both produce the same result for what we are showing here.

When you select the Backup Wizard icon, the welcome screen will appear and you can select Next to continue.

You are then presented with the opportunity to choose what it is that you want to back up.

For the example we are presenting here, a quick solution to copy or move selected data to a new location and retain all of the previously set NTFS permissions in a domain environment, we will choose the Back up selected files, drives, or network data option and click Next to continue.

The next screen is the Items to Back Up screen where we select the files or folders we want to back up. After this is done, click Next again to continue.

The next screen asks where you would like to store the backup file and what to name it. The location can even be the remote system to where we are going to eventually restore the data to. It can also be to a floppy, ZIP or CDR(W) media as well.

The subsequent Window displayed is the Completing the Backup Wizard screen, which allows you to finish the wizard or select Advanced to configure more settings. By selecting Advanced, we can accept all of the listed defaults on the upcoming series of screens and immediately kick off the backup. (You should opt to choose the Verify backup checkbox, to verify that the backup checksums OK.)

After selecting Advanced and choosing the best practice of verifying your backup set, you can accept all of the defaults and kick off the backup, which will run and display the following screen at completion.

The backup file will be written to the location specified and can be copied and pasted, if need be, to the new location where it is to be expanded with its security settings intact.

The next procedure is to run the NTBACKUP wizard again and to select the Restore Wizard, which will ask you What to Restore. Here, you can select the entire backup set or just parts of it, as shown below.

Once you select Next, the Completing the Restore wizard screen appears, and you will need to select the Advanced button to continue rather than simply choosing Finish to verify some settings to properly preserve the original security settings.

The first screen that appears is the Where to Restore window, where you can choose to restore to the original backup directory by choosing Original Location, a different location by choosing Alternate Location, or you can choose to dump numerous files from different locations within the backup set to one place by choosing Single Folder.

For this particular operation of a quick solution to copy or move selected data to a new location and retain all of the previously set NTFS permissions in a domain environment, we will choose the Alternate Location option, set the path and click Next.

Depending on your needs, you can realistically choose any of the options available on the How to Restore screen. For the purposes of maintaining NTFS security on files and folders, always replace the file on disk (to overwrite existing files with the updated ones and the proper security context) should be selected.

The next screen is the Advanced Restore Options page. Here, you elect to keep your current level of NTFS security by verifying the Restore security checkbox is selected. (This is the default selection.)

The next page is the wizard completion page where you would click Finish to complete your task to start the restoration procedure. (A window may open one last time to ask you for the location of the backup set to be used. If it does either enter it or browse to the location of the file and then start the restore.)

When the process is complete, the above status window will be shown. When you view the data that was restored, you will find that is does contain all of the original NTFS security settings in the new location.

Best of luck in your studies and please feel free to contact me with any questions on my articles and remember:

"Weak passwords trump strong security."

Jason Zandri

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved