Copying NTFS Security Descriptors

Requirements

Beyond Compare 4, 3, 2.3 or newer
Windows 2000 or better
Administrative rights

Description

Beyond Compare provides an option to copy NTFS security descriptors.  With it enabled, any of Beyond Compare's copy commands (copy, copy to folder, move, move to folder, and the sync commands) will copy security descriptors of files on NTFS file systems under Windows 2000 or newer.  This option does not preserve permissions of files saved in the File Viewer.

BC3 logo BC version 3 or 4

In a Folder Compare or Folder Sync session, select Session Settings from the Session menu.  Go to the Handling tab.  Check Copy NTFS file permissions (requires admin rights).

BC2 logo BC version 2

To enable the copying of NTFS security descriptors, create a DWORD registry key named HKEY_CURRENT_USER\Software\Scooter Software\Beyond Compare\Settings\CopyACLs.  Setting the value to 1 will enable the feature, 0 will disable it.

Handling of Inheritance

Files and folders are copied as normal.  After each file or folder is copied, the security descriptor (owner, group, dacl, sacl) is copied.  If the source file (or folder) is set to inherit permissions from its parent, non-inherited permissions are copied and inheritable permissions from the parent on the target side are inherited.  If the source file is set to block permissions from its parent, permissions are copied from the source and no permissions are inherited from the target parent.

Known Issue - Folders with read only permissions

The current implementation does a simple copy of security descriptors immediately after a file or folder is copied.  If the folder being copied denies write access to the logged on user, Beyond Compare will copy the folder, set the deny permissions on it, and then fail to copy the contents of the folder.

Known Issue - NetApp

Copying NTFS security descriptors is not supported when the target folder is on a NetApp device.

Copyright © 2017 Scooter Software, Inc.