Quick Links

Maintaining file share permissions across servers can be a major challenge but by using PowerShell, we can automate this process allowing you to go home early.

When doing any file migration, you not only have to consider the files and folder themselves but also the permissions set on those objects. On each file and folder could potentially be a different set of Access Control Entries (ACEs) that make up an Access Control List (ACL). Depending on how many files you're migrating, this can be a lot.

When moving files to a new location, the permissions don't always come with them. When doing a massive migration like entire file servers with intricate permissions in place, it's important to keep those permissions with the objects as they move to the new location.

There are a few ways to do this.

One favorite tool to perform file migrations is robocopy. Robocopy is a great tool with lots of bells and whistles, but it can be complicated to use and may not work in all situations. When this happens, I'll usually look into a tool called icacls. This is a tool that's been around for a long time and, like robocopy, has a lot of switches, so let's simplify this tool a little bit with some PowerShell.

Using PowerShell to Transfer Permissions

Although you can use the icacls command-line utility directly, it's not the easiest to understand. To remedy this, you're going to learn about a PowerShell as a wrapper to invoke the icacls tool to simplify this sometimes daunting process.

First, we'll need to download an existing tool that's already created for us. One of the great things about the PowerShell community is that there's usually an existing tool out there to help us out. In this case, we're going to need a PowerShell module. This PowerShell module can be found in the PowerShell Gallery.

If you have PowerShell v4 or later, you'll already have some commands to grab this module quickly.

        PS> Find-Module -Name NTFSPermissionMigration | Install-Module

Once the code above is done, you should now have a new module installed on your computer available for use. Once this installation is done, we now need to run a command inside of the module against the folder containing all of the files we'd like to transfer permissions on.

        PS> Save-Acl -FolderPath \\OLDSERVER\FileShare -SaveFilePath C:\FilePermissions.txt

Once this is run, you should see an output similar to this and begin to see that save file start to grow.

        processed file: \\OLDSERVER\FileShare\File1.txt
processed file: \\OLDSERVER\FileShare\File2.exe
Successfully processed X files; Failed processing 0 files

When this is complete, you should now have all of the permissions for files and folders inside of the save file. Now, we can restore this file. Before this happens, though, be sure to do an exact copy of all the files inside of the old folder, otherwise this will not work.

To restore the permissions to the new folder path, we'd now use the Restore-Acl command.

        PS> Restore-Acl -RestoreToFolderPath \\NEWFILESERVER\FileShare -PermissionFilePath C:\FilePermissions.txt
Successfully processed XXX files; Failed processing 0 files

Once this is complete, all NTFS permissions should be mirrored from your source folder and the new destination folder!

Summary

Using a free community PowerShell module and a little bit of scripting magic can turn a daunting task of moving NTFS permissions from one server to another a piece of cake.