Hello,
I set up a backup project with 2 systems (Windows 10). One of them is connected via a USB drive to a hard disk where the backups of the 2 systems are copied to. I use user tasks for the synchronisation. The structure of the folders is as followed:
<Drive>:\Backup\<system>\Users\<user>\<user files>
<system> could be <system1> or <system2>. <user> could be public, <user1> to <userN>. That means the FFS task contains 2 directories, <userN> and user public. I created the folders Backup, <system> and Users with the standard permission and inheritance.
The users of the system without the USB disk drive are connected to the system with the disc drive via a network connection.
After preparing that I started the backup tasks and nearly everything looks fine. A problem is that every user can read all the date of the others.
In order to save the permissions of the users against each other I changed the permissions of ...\Users\<user> to those which are given to C:\Users\<user>. That works fine for the system to which the disc drive is connected.
At the other one the user task wrote a log with the warning
"File ...\public\sync.ffs_lock can`t be written."
"ERROR_ACCESS_DENIED: Access denied [CreateFile]"
and with an error
"Folder ...\public can`t be opened."
"ERROR_ACCESS_DENIED: Access denied [DirReaderPlus]"
As I not really understand Windows permissions I don´t have ideas which permissions are missing.
Can anybody help?
Regards,
Uwe
ERROR_ACCESS_DENIED: ... [CreateFile] or ... [DirReaderPlus]
- Posts: 7
- Joined: 13 Jan 2022
-
- Posts: 4867
- Joined: 11 Jun 2019
- Posts: 7
- Joined: 13 Jan 2022
Thank you for the quick reaction.
I already used the option "File-save file copy" and no other option. To get admin rights I changed the user task option "run with highest rights" and nothing changed in the resulting log.
Now I`m not sure if you mean what I tried. I`ve to read how to run a task with admin rights. That need a little bit of time.
Regards
I already used the option "File-save file copy" and no other option. To get admin rights I changed the user task option "run with highest rights" and nothing changed in the resulting log.
Now I`m not sure if you mean what I tried. I`ve to read how to run a task with admin rights. That need a little bit of time.
Regards
- Posts: 7
- Joined: 13 Jan 2022
Haven`t find any other solution. Is it right, that you mean with „make sure the FreeFileSync process is running with admin rights” to use the task option „run with highest rights”?
Uwe
Uwe
-
- Posts: 4867
- Joined: 11 Jun 2019
Did you read the section I posted??
"Copying NTFS permissions is not needed in general and is best left disabled. Go to Menu → tools → options and ensure permission copying is unchecked.
If you are an administrator and really need to preserve DACL, SACL, Owner and Group permissions, make sure the FreeFileSync process is running with admin rights."
You need to check the option that copies permissions, run FFS as admin, and restart the whole backup
"Copying NTFS permissions is not needed in general and is best left disabled. Go to Menu → tools → options and ensure permission copying is unchecked.
If you are an administrator and really need to preserve DACL, SACL, Owner and Group permissions, make sure the FreeFileSync process is running with admin rights."
You need to check the option that copies permissions, run FFS as admin, and restart the whole backup
- Posts: 7
- Joined: 13 Jan 2022
From my point of view now I followed your recommendacion.
At the server system I removed the folder <Drive>:\Backup\<system>\Users. At the client system I unchecked the option "Fail-safe file copy" and set "Copy DACL, SACL, Owner, Group" in FFS. I created a user task for one of the users with the option "execute if logged in" and set "execute with highest permissions" which means that the job and therfore FFS will run as admin.
The result is that folder ..\Users at the server will be created and the job died with 2 Errors:
1. Cannot write permissions of "Z:\Users\<user>".
ERROR_PRIVILEGE_NOT_HELD: Client missed a required permission. [SetFileSecurity]
2. Cannot write permissions of "Z:\Users\Public".
ERROR_PRIVILEGE_NOT_HELD: Client missed a required permission. [SetFileSecurity]
Are there a solution of that or is something wrong?
At the server system I removed the folder <Drive>:\Backup\<system>\Users. At the client system I unchecked the option "Fail-safe file copy" and set "Copy DACL, SACL, Owner, Group" in FFS. I created a user task for one of the users with the option "execute if logged in" and set "execute with highest permissions" which means that the job and therfore FFS will run as admin.
The result is that folder ..\Users at the server will be created and the job died with 2 Errors:
1. Cannot write permissions of "Z:\Users\<user>".
ERROR_PRIVILEGE_NOT_HELD: Client missed a required permission. [SetFileSecurity]
2. Cannot write permissions of "Z:\Users\Public".
ERROR_PRIVILEGE_NOT_HELD: Client missed a required permission. [SetFileSecurity]
Are there a solution of that or is something wrong?
-
- Posts: 4867
- Joined: 11 Jun 2019
The network share isn't set to allow permissions editing from the SYSTEM account. The SYSTEM account is used when you run a task with highest privileges. Add SYSTEM to the network share permissions and check "Full Control". I would also like Zenju's input on whether or not running FFS as admin is actually required. Usually it is so that you can set permissions on local drives, but I am not sure if you need admin to read permissions locally and the set them on remote files.
- Posts: 7
- Joined: 13 Jan 2022
Thank you for the inspiring assistance.
In both cases the folder ../Users will be created.
Adding SYSTEM to the network share permissions and check "Full Control" hasn't changed the result above (2 errors with missing SetFileSecurity).
Unchecking "execute with highest permissions" leads to the following 2 Errors:
1. Cannot read permissions of "C:\Users\<user>".
ERROR_ELEVATION_REQUIRED: ... [AdjustTokenPrivileges(SeSecurityPrivilege)]
2. Cannot read permissions of "C:\Users\Public".
ERROR_ELEVATION_REQUIRED: ... [AdjustTokenPrivileges(SeSecurityPrivilege)]
It seems to me that execution with admin rights is necessary.
I further thought about the properties of the server share and found that the owner of it is the admin user which I used to configure the share. I changed it to SYSTEM. But that also hasn't changed anything.
Is there a security application in Windows 10 which forbit remote SetFileSecurity?
In both cases the folder ../Users will be created.
Adding SYSTEM to the network share permissions and check "Full Control" hasn't changed the result above (2 errors with missing SetFileSecurity).
Unchecking "execute with highest permissions" leads to the following 2 Errors:
1. Cannot read permissions of "C:\Users\<user>".
ERROR_ELEVATION_REQUIRED: ... [AdjustTokenPrivileges(SeSecurityPrivilege)]
2. Cannot read permissions of "C:\Users\Public".
ERROR_ELEVATION_REQUIRED: ... [AdjustTokenPrivileges(SeSecurityPrivilege)]
It seems to me that execution with admin rights is necessary.
I further thought about the properties of the server share and found that the owner of it is the admin user which I used to configure the share. I changed it to SYSTEM. But that also hasn't changed anything.
Is there a security application in Windows 10 which forbit remote SetFileSecurity?
- Posts: 7
- Joined: 13 Jan 2022
Due to the confusing situation I made a step back and analyzed the backup from the server system to the USB drive. I'm trying to synchronize C:\Users to Z:\Backup\<server>\Users.
My statement above in the initial part that the backup works fine was wrong. The user task with admin rights don't adopt correctly the inharitance and the permissions from C:\Users to Z:\Backup\<server>\Users.
Can anybody explain whether my expectation to FFS regarding the inharitance and the permissions is right or wrong?
By the way if I configure .../Users and .../Users/<admin user> by hand the process works correctly and other users and the user Public with its complex permissions and stopped inharitance will be configured correctly. To see the expected permissions and inharitance look to C:\Users and one of the configured users.
By configuring by hand I've to confirm often that I realy want to create a folder. Could that a reason which disturbs FFS?
My statement above in the initial part that the backup works fine was wrong. The user task with admin rights don't adopt correctly the inharitance and the permissions from C:\Users to Z:\Backup\<server>\Users.
Can anybody explain whether my expectation to FFS regarding the inharitance and the permissions is right or wrong?
By the way if I configure .../Users and .../Users/<admin user> by hand the process works correctly and other users and the user Public with its complex permissions and stopped inharitance will be configured correctly. To see the expected permissions and inharitance look to C:\Users and one of the configured users.
By configuring by hand I've to confirm often that I realy want to create a folder. Could that a reason which disturbs FFS?
- Posts: 7
- Joined: 13 Jan 2022
Should FFS adopt the inharitance and the permissions from C:\Users to Z:\Backup\<server>\Users?
