Unable to read security for source file. Security values will not be copied.

This article explains the cause of the "Unable to read security for source file. Security values will not be copied" error and how to address it.

This article applies to both SureSync and SureSync MFT.

Issue

When running a Job, you receive the following:

"Unable to read security for source file. Security values will not be copied."

This message occurs when you have configured SureSync to copy NTFS security objects. The user account SureSync is running under must be able to read the security objects on the folders and files in order to copy these objects.

Resolution

This error is a permissions issue for the file or folder mentioned in the error. To correct the error, correct the NTFS permissions by ensuring that the account SureSync is running under is an Administrator on the machine and has Full Control NTFS permissions for the files. The account used for accessing the files can be determined by:

Communications Agent

If you are using the Communications Agent, each machine has its own user account defined for I/O access.

SureSync MFT

Launch the MFT Desktop. Expand Computers and Storage. Expand either Hubs, Servers, or Workstations to find the machine in question. Click on that machine.

On the "General" tab, click on the "Set Credentials for Accessing this Agent" button. The user account will be defined there. Click the "Cancel" button to close the dialog.

SureSync

Launch the SureSync Desktop. Expand Computers. Expand either Servers or Workstations to find the machine in question. Click on that machine.

The user account is under "Run a Communications Agent on this machine" on the General tab.

UNC Paths

By default, when synchronizing via UNC path, the account used for I/O access is the account define for the Communications Agent you're referencing the UNC Path with.

At times, the UNC path requires a different credential which can be defined on the path itself.

SureSync MFT

In the MFT Desktop, expand the Job and then expand Roots Paths. Click on the UNC path in question. On the General tab, there is a "Set Credentials" button. The user account will be listed on that dialog. Click the "Cancel" button when done.

SureSync

In the SureSync Desktop, click on the Job and then click on the Root Paths tab. Click on the UNC path and click the "Edit" button. Go to the "Options" tab and the user account will be under "User Id for UNC Path Access."

Required Advanced User Rights

If you are copying auditing and ownership, the account needs the advanced user rights to "Manage auditing and security log" and "Take Ownership of files and other objects." Generally, administrator accounts should already have these rights. These rights can be configured in the Local Security Policy MMC under Local Policies | User Rights Assignment.

Wrapping Up

Once the permissions issues have been corrected, you must trigger the files to be processed again. The best way to do this is to use the Alerts functionality to process retries.

SureSync MFT

Click on the Job that encountered the errors. In the MFT Desktop ribbon bar, click on Detailed Status. On the Detailed Status panel, click on the "Alerts" button.

From there, you can check the "Retry" checkbox for the relevant errors and process the retries.

SureSync

Click on "Enterprise Status" from the SureSync Desktop. Click on "Alerts." From there, you can check the "Retry" checkbox for the relevant errors and process the retries. This is the most efficient method because it avoids rescans.

If there are many of these errors, you can also rescan the paths in the Job. This will rescan the entire tree and resolve any differences.  This adds significant overhead processing the full scan and is therefore not recommended.

In SureSync, you right-click on the Job and select "Re-scan file."

In SureSync MFT, you right-click on the Job and select "Force a folder scan of each root path."