Wednesday, May 29, 2013

Schedule a robocopy task on Windows 2008 R2 (WIP)

Objective:
1. Schedule a task to copy a set of files from a DC to another DC.
2. Apply least privilege principle.

Environment:
Windows 2008 R2 (
Robocopy version on Windows 2008 R2 (XP10 aka 5.1.10.1027)

Symptoms:
Using robocopy, you will be able to copy folders from source location to destination location (folders will be created). However, files within the source folder will fail to copy.

Common errors:
1. ERROR : You do not have the Manage Auditing user right.
2. ERROR 5 (0x00000005) Copying NTFS Security to Destination Directory -instead-path-here- Access is denied.

Required Permissions:

To use the robocopy /COPYALL switch on a DC, at minimum, user account MUST BE in "Builtin\Administrators" group.

THIS CAN'T BE AVOIDED. Ref URL #4 below - "UAC operates under a dual token method where even if you have the right to have elevated access, until you request it via UAC its not provided. Once requested its a new process."

Tried to minimize security access with credentials "Builtin\Server Operators" (able to open an elevated command prompt but UAC will prompt for password) and "Builtin\Backup Operators"
However, with these credentials, during the copy process, the folders will be created successfully but files inside folders, you will hit error #2 mentioned above.


Required NTFS Permissions
1. Source location, at least read access to the files and folders
2. Destination location, "full control" to files and folders (If not you may have
3. If your destination folder is in a root folder, ie, D:\ or E:\, you will need to
3.1. Disable inheritance
3.2 Grant full control to the user that is used to run the robocopy scheduled task script

Windows 2008 R2 may not copy ACLs properly
Workaround:

1. XCOPY source_folder target_folder /I /E /X /T 
2.  ROBOCOPY source_folder target_folder /COPYALL /SECFIX /E 

References:
1. http://ss64.com/nt/robocopy.html
2. http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/292b40ec-a6b3-47db-b9ac-e7ab9aa5c913
3. http://serverfault.com/questions/419835/what-permissions-are-required-to-back-up-to-a-remote-folder
4. http://superuser.com/questions/416188/is-there-any-way-to-elevate-a-command-prompt-in-windows-7
5. http://support.simplefailover.com/KB/a5/using-robocopy-with-simple-failover.aspx
6. http://virtualmowfo.blogspot.sg/2009/07/running-scheduled-task-using-system.html