Jason Zandri's latest tutorial discusses how to use NTBACKUP to copy data to an alternate location and preserve NTFS permissions. The article explains how to back up data with all of the permissions intact and how to perform a restore.
Using NTBACKUP to copy data to an alternate location and preserve
[NOTES FROM THE FIELD] - Before we begin, the key thing that I
want to stress on this HOW TO tutorial is that while it will explain how to back up data with all of the permissions intact and how to perform a restore, the
one thing to remember is that in the situation where you restore to another
system, only the domain accounts are going to hold their permissions and rights
to the data entirely intact. The local accounts, if any, that were assigned
rights to the data on the original domain member are going to be unknown
to another domain member and those local accounts from the original system will
not be able to access the data properly, if at all.
NTFS is the preferred file system for all computers running Windows 2000 and XP
Professional. This version of NTFS is called NTFS 5.
If you are running Windows NT 4.0 Service Pack 4 or later, you can read basic volumes
formatted by using NTFS 5 locally on dual boot systems. Windows 2000 and Windows
XP Professional can read NTFS 5 on both basic and dynamic volumes.
[NOTES FROM THE FIELD] - Computers systems accessing either version of NTFS across networks are not
affected. Version differences are usually only considered in local or dual boot
The following NTFS features are available in version 5;
- File and Folder Permissions
- Disk Quotas
- File Compression
- Mounted Drives
- Hard Links
- Distributed Link Tracking
- Sparse Files
- Multiple Data Streams
- POSIX Compliance
- NTFS Change Journal
- Indexing Service
File and Folder Permissions Under NTFS
In short, File and Folder Permissions under NTFS are designed to allow
administrators and data owners to set a level of access (or prevent one) to
the data in question.
The Principal of Least Privilege is where users are given only the minimum level
of permissions to the network resources needed to perform their given job
function and nothing higher.
Using NTFS you can set permissions down to the file level, where under FAT16 or
FAT32 this security is limited to shares only and has no effect when logging on
interactively (locally on the system).
Some key points to remember are:
- Creator Owners are assigned the Full Control permission
to the data and objects that they create.
- Partitions and volumes originally formatted with
NTFS are automatically configured to assign the Full Control permission to the
Everyone group at the root of the drive by default.
- FAT16 and/or FAT32 partitions that are converted to NTFS
are designed to assign the Full Control permissions to the Everyone group on
all resources on that volume by default.
There are two types of permissions within the NT file system: Explicit permissions are the type specifically set on a given
object; and inherited permissions are those gained from a parent container,
such as a parent folder or organizational unit. The default behavior of the NT
file system is to allow inheritance to child objects (folder, file or active
directory object), from the parent folder or container.
Copying Files and Folders
Regardless of how an object gains its permissions, allowing it to keep them when being moved or copied is always an issue.
Some key points to remember are:
- To copy files or folders within or between NTFS volumes, the user must have
the Add permission for the destination folder at the minimum to perform the file
- The user who performs the copy will become the owner of the new file or folder.
- When files or folders are moved within the same NTFS partition, they retain
- When files or folders are copied within the same partition or between NTFS partitions, or moved to another partition altogether, they inherit the permissions of the destination folder.
- When files or folders are copied (or moved) to FAT16 or FAT32 volumes, they lose their NTFS permissions because FAT16 and FAT32 volumes do not support local
permissions natively within the file system as NTFS does.
Moving Files and Folders
Some key points to remember are:
- To move files or folders between NTFS partitions, the user must have the Add
permission for the destination folder or file and the Delete permission for the
source folder or file. The Delete permission for the source folder or file is
required because the folder or file is deleted from the source folder once the
move to the destination folder is complete.
- When the folder or the file is moved to another partition, the user who performed the move will become Creator Owner.
- When files or folders are moved within the same volume they retain their original
- When files or folders are moved across different volumes they inherit the permissions of the destination folder.
- When files or folders are moved (or copied) to FAT16 or FAT32 volumes, they lose their NTFS permissions because FAT16 and FAT32 volumes do not support local
permissions natively within the file system as NTFS does
Moving Files and Folders and Retaining Security Permissions
NTBACKUP can be used as a quick solution to copy or move selected data to a new location and retain all of the previously set NTFS permissions in a domain environment.
[NOTES FROM THE FIELD] -
Again, the key thing I want to stress on this is that you
can also do this outside of a domain environment, but because the local account
database will not have any reference to any of the migrated account settings,
all access to the data would be denied via these accounts.
The procedure to do this would be to start NTBACKUP from the start menu of
the RUN window, which will bring up the Backup and Recovery Tools
(On a Windows XP system this is called the Backup Utility Advanced Mode and offers the Automated System Recovery Wizard, as shown below.)
I will continue with the Windows 2000 version, since both produce the same result for
what we are showing here.
When you select the Backup Wizard icon, the welcome screen will appear and you can select Next to continue.
You are then presented with the opportunity to choose what it is that you want to back
For the example we are presenting here, a quick solution to copy or move selected data to a new location and retain all of the previously set NTFS permissions in a
domain environment, we will choose the Back up selected files, drives, or
network data option and click Next to continue.
The next screen is the Items to Back Up screen where we select the files
or folders we want to back up. After this is done, click Next again to
The next screen asks where you would like to store the backup file and what to name it. The location can even be the remote system to where we are going to eventually
restore the data to. It can also be to a floppy, ZIP or CDR(W) media as
The subsequent Window displayed is the Completing the Backup Wizard screen, which allows you to finish the wizard or select Advanced to configure more settings. By selecting Advanced, we can accept all of the listed defaults on the upcoming series of screens and immediately kick off the backup. (You should opt to choose the Verify backup checkbox, to verify that the backup checksums OK.)
After selecting Advanced and choosing the best practice of verifying your backup set,
you can accept all of the defaults and kick off the backup, which will run and
display the following screen at completion.
The backup file will be written to the location specified and can be copied and pasted, if need be, to the new location where it is to be expanded with its security
The next procedure is to run the NTBACKUP wizard again and to select the
Restore Wizard, which will ask you What to Restore. Here, you can
select the entire backup set or just parts of it, as shown below.
Once you select Next, the Completing the Restore wizard screen appears, and you will need to select the Advanced button to continue rather than simply
choosing Finish to verify some settings to properly preserve the
original security settings.
The first screen that appears is the Where to Restore window, where you can choose to restore to the original backup directory by choosing Original
Location, a different location by choosing Alternate Location, or you
can choose to dump numerous files from different locations within the
backup set to one place by choosing Single Folder.
For this particular operation of a quick solution to copy or move selected data to a new location and retain all of the previously set NTFS permissions in a domain
environment, we will choose the Alternate Location option, set the path
and click Next.
Depending on your needs, you can realistically choose any of the options available
on the How to Restore screen. For the purposes of maintaining NTFS
security on files and folders, always replace the file on disk (to overwrite existing files with the updated ones and the proper security context) should be selected.
The next screen is the Advanced Restore Options page. Here, you elect to keep your current level of NTFS
security by verifying the Restore security checkbox is selected. (This is
the default selection.)
The next page is the wizard completion page where you would click Finish to
complete your task to start the restoration procedure. (A window may open one
last time to ask you for the location of the backup set to be used. If it does
either enter it or browse to the location of the file and then start the
When the process is complete, the above status window will be shown. When you view the data that was restored, you will find that is does contain all of the original
NTFS security settings in the new location.
Best of luck in your studies and
please feel free to contact me with any questions on my articles and remember:
"Weak passwords trump strong