How to Migrate NTFS Permissions Between Directories on Windows Server Without Data Recopy


2 views

When migrating data between NTFS volumes in Windows environments, administrators often encounter permission inheritance issues. The core problem stems from how Windows handles ACL (Access Control List) preservation during file operations.

For Windows Server 2008 R2, these methods provide effective permission propagation:

1. Using icacls with Inheritance Flags

The most precise method using built-in tools:

icacls "C:\source\*" /save permbackup.acl /t /c
icacls "D:\destination\" /restore permbackup.acl /t /c

2. PowerShell ACL Transfer Script

For more granular control:

$source = "C:\source"
$dest = "D:\destination"
$acl = Get-Acl $source
Get-ChildItem $dest -Recurse | ForEach-Object {
    Set-Acl -Path $_.FullName -AclObject $acl
}
  • Always test in non-production first
  • Verify inherited vs explicit permissions
  • Account for special permissions like "Deny" entries
  • Handle owner permissions separately if needed

For environments requiring SACL preservation:

icacls "C:\source" /save permbackup.acl /t /c /q
icacls "D:\destination" /restore permbackup.acl /t /c /q

After migrating company data to a new drive on Windows Server 2008 R2, I discovered that while the files transferred successfully, the NTFS permissions didn't carry over. This creates access control issues since users are already working with the new location.

The built-in icacls command is the most efficient solution for this scenario. Here's how to clone permissions from the source to destination:

icacls "D:\\OldData\\*" /save "%TEMP%\\perms.acl" /t /c
icacls "E:\\NewData\\" /restore "%TEMP%\\perms.acl" /t /c
  • /save: Exports permissions to a temporary ACL file
  • /restore: Applies saved permissions to the new location
  • /t: Processes all subdirectories
  • /c: Continues despite errors (logging them)

For more complex scenarios, robocopy provides additional control:

robocopy "D:\\OldData" "E:\\NewData" /copyall /e /xb /r:1 /w:1 /log:perm_transfer.log

Key robocopy switches:

  • /copyall: Copies all file info including security
  • /e: Copies subdirectories including empty ones
  • /xb: Excludes backup files

After permission transfer, verify using:

icacls "E:\\NewData\\ImportantFolder"

Compare output with the source location to ensure ACEs (Access Control Entries) match.

For files with explicit denials or complex inheritance:

icacls "E:\\NewData\\Sensitive" /reset /t /c
icacls "E:\\NewData\\Sensitive" /inheritance:r /t /c

For regular permission synchronization:

@echo off
set SOURCE=D:\OldData
set DEST=E:\NewData
set LOG=%TEMP%\%~n0.log

icacls "%SOURCE%\*" /save "%TEMP%\perms.acl" /t /c > "%LOG%" 2>&1
if %ERRORLEVEL% neq 0 (
    echo Permission backup failed >> "%LOG%"
    exit /b 1
)

icacls "%DEST%" /restore "%TEMP%\perms.acl" /t /c >> "%LOG%" 2>&1
del "%TEMP%\perms.acl"
  • Run commands from elevated command prompt
  • Backup ACLs before major operations
  • Test in non-production environment first