When copying NTFS security, results are different on the destination

The copying of NTFS security is a complex topic. This article explains why security can be copied successfully and result in permissions not matching on source and destination. It also explains how to correct the issue.

SureSync has the ability to copy NTFS Security. This is configured on the "Copy Security" tab of the Rule and is accomplished via replication of the Access Control List (ACL).

When copying an Access Control List (ACL), it is important to understand what the ACL contains. The ACL contains any explicitly defined permissions. For example, if you have manually added the account domain\user1 to a folder or file and set specific permissions. The ACL also contains the status of the inheritance flag which is either on or off.

The contents of the ACL can result in the security copy processing being completed successfully but the results looking different than you expect. For example, assume you have the following permissions defined on the source file:

Account/Group Permission Definition
Administrators group Inherited
Sales group Inherited
Marketing group Inherited
domain\user1 Explicitly defined

On the destination side, the inherited permissions are different:

Account/Group Permission Definition
Administrators group Inherited

When the ACL is copied from the source, it contains the state of the inheritance flag (On) and the domain\user1 explicitly defined permission.

On the destination, this will result in:

Account/Group Permission Definition
Administrators group Inherited
domain1\user1 Explicitly defined

Why the difference? It's all in the inheritance flag. The inheritance flag does not define specific groups and user accounts. It only says "you should inherit from your parent folder." Since the permissions are different on the source and destination parent folders, the permissions are different.

Resolution

To resolve the difference, you must set the permissions on your root path level folders to be the same using Windows Explorer. When the root path level folders on each path in the Job has the same NTFS permissions, they will be inherited properly and the security will match on each side.