Bypass/ignore NTFS security rights under Admin for backup.

[Bert-Steffen Visser]

For the purpose of making backups using scripts, I need like to bypass the NFTS security rights under the Administrator account. For example, if some user limits the access rights of folders/files to all other users including the Administrators group, these files cannot be auto-backuped (permission denied, obviously and annoyingly).

I know a few workarounds, but they are quite unacceptable for such a simple task.
1) Of course, the administrator can force ownership and change security rights in a script to force access. But I don't want to change the security rights, since I want users to maintain their ownership over the files.
2) I'm aware of 'Back up files and directories' policy in the local security policy. But that only works if you use the Backup API. I just want to use plain and simple scripts! So that's no option either.

I'm also aware that some consider this behavior a 'feature'. Well, since an administrator can always access the files, for me it's just annoying. So, I would be greatful if somebody knows a solution, tweak or whatever!

Thanks,
Bert

 

[Jan Peter Stotz]

I know a few workarounds, but they are quite unacceptable for such a
simple task. 1) Of course, the administrator can force ownership and
change security rights in a script to force access. But I don't want to
change the security rights, since I want users to maintain their
ownership over the files.
2) I'm aware of 'Back up files and
directories' policy in the local security policy. But that only works if
you use the Backup API.

When you talk about "Backup API" do you have the function
BackupRead/BackupWrite in mind?

I just want to use plain and simple scripts! So
that's no option either.

Have you tried CreateFile() with FILE_FLAG_BACKUP_SEMANTICS ?

Jan

 

[Bert-Steffen Visser]

When you talk about "Backup API" do you have the function
BackupRead/BackupWrite in mind?


Have you tried CreateFile() with FILE_FLAG_BACKUP_SEMANTICS ?

Thanks for the hint. I was also aware of the CreateFile function. But that would imply writing an own copy/sync command line tool based on the CreateFile/BackupRead function.

I really prefer to use copy/rsync directly in my backup scripts. These are well tested and for something this simple I'd like to use an off-the-shelve solution. So I was hoping there is a security policy/tweak so that an administrator can simply access all the files (like he should be able in the first place, but well...)

greetz,
Bert

 

[Jan Peter Stotz]

Thanks for the hint. I was also aware of the CreateFile function. But
that would imply writing an own copy/sync command line tool based on the
CreateFile/BackupRead function.

I really prefer to use copy/rsync directly in my backup scripts.

I haven't tried it but I know that the tool robocopy has an option "copy
files in Backup mode". Robocopy is part of the free W2K3 Resourcekit Tools

Jan

 

[Bert-Steffen Visser]

Bert-Steffen Visser schrieb:


I haven't tried it but I know that the tool robocopy has an option "copy
files in Backup mode". Robocopy is part of the free W2K3 Resourcekit Tools

Jan

Thanks! That's the best solution I've got so far. It works. And I'll use it till I can find a bypass (if possible at all).

greetz,
Bert