Access Denied Backing up / viewing files on Windows NTFS partition. How do not destructively fix permissions?

Question

Operating system is 2000/XP/Vista/7. It should all be the same really.

I am trying to view files or do a complete back up of a hard drive that is from a different Windows install. The problem is that some of the folders belonging to non privileged users or files left behind from goofy install programs are missing SYSTEM or Administrators = Full Control (or at least read) permissions.

Now I know that there are a lot of answers about "Taking Ownership" and then selecting "Replace owner on subcontainers and objects". Windows will then ask if you want to give yourself Full Control permissions, since being the owner only allows you to view and change permissions, but does not give access directly, so you still have to give yourself access. The problem is this method changes the owner on everything, even users' files. Although it may be rare, this results in a situation where users who don't have themselves = Full Control on their files, and depend on having ownership to change permissions, can no longer change permissions on their files. That's why this method can be destructive to the system that is being backed up.

Edit: The other problem with the Windows "Take Ownership" method is that, at least on XP, it only gives Full Control permissions when an object lacks read access. If you have read access it leaves it alone. When a folder is copied to the backup NTFS partition, the permissions are then set with read only access, and then subfolders and files fail to be written.

What I'm looking for is a utility that will add Administrators = Full Control (or Read or Modify if requested) to all files on the system that lack the permission. Normally almost all files have it because permissions are inherited. The utility should not change the ownership of the files unless it is absolutely necessary to add this permission. Edit: Even better would be to set Backup Operators = Full Control on all objects which don't inherit permissions. Some files on Windows don't have write access by Administrator to prevent accidents, and it would be nice to leave them that way.

It would be nice if the permission could be added without changing ownership, but apparently even the Backup Operators group and the SYSTEM accounts cannot access files which lack the proper permissions, and I assume those accounts cannot change permissions either until ownership is granted.

Edit: solution so far to view files: Just take ownership, or follow the backup instructions and take ownership of the backup and use that. Changing the owner on files and directories won't harm anything unless a user removed their own permissions, which is rare.

To backup using Microsoft tools: xcopy doesn't make use of Backup Operator permissions, and robocopy does everything including long path names, but doesn't support JUNCTIONS other than /XJ to ignore them. But both tools can be used together. Vista and later make use of JUNCTIONS to redirect directories like "Documents and Settings" to the new folder names. Some programs like Java on 2000/XP may create JUNCTIONS, but it's not always essential to preserve that in a backup. Pre Vista users need to install the Windows resource kit to get robocopy and linkd. You need to be a member of the Backup Operators group to use the /b flag of robocopy and bypass permissions.

Step 1: Copy all the JUNCTIONS. XP xcopy is used in this example. Vista xcopy may have changed behavior, as it does have a copy links option. Note that the "\Users\All Users" folder on Vista is a LINK rather than a JUNCTION, and only Vista and later xcopy has the option to copy links. This command will copy all directories, and JUNCTIONS, but no files. It generates an Access Denied error after copying each JUNCTION, but it works as long as /O is used.

xcopy e:\ d:\e_drive_backup\ /T /E /H /K /O /X /C

Step 2: Make sure the JUNCTIONS were copied. linkd should tell you that Documents and Settings points to C:\Users. dir /a will show them as JUNCTION.

linkd "d:\e_drive_backup\Documents and Settings"

Step 3: Now that all the JUNCTIONS are copied, it's time to use robocopy (start the command prompt from the Resource Kit in the Start Menu if needed).

robocopy e:\ d:\e_drive_backup\ /E /B /COPYALL /XJ

Other methods: I read that FastCopy from https://ipmsg.org/tools/fastcopy_beta.html.en can be used, but I haven't tried it yet.

Answer 1

Trying to change permissions on a drive to “backup” the contents is really, really messy.

Windows already provides us a mechanism to backup files regardless of permissions. Most actual backup applications use it. It is called Backup Operator permissions. Just being a member of the backup operators group is not going to suddenly make you be able to copy and paste files regardless of permissions. It requires special requests through the Windows API to indicate the action is for backup / restore purposes.

I suggest you forget trying to change permissions which is completely unnecessary. Use an application that is actually made for backing up files.

At the most basic level you can simply use RoboCopy with the /b parameter. Make sure you run robocopy from an administrative command prompt. Adding the /copyall parameter or other related options will actually preserve the file attributes, including ownership and permissions when it is copied. Preserving file attributes is a key feature in any backup application.