Bypass/ignore NTFS security rights under Admin for backup.

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

For the purpose of making backups using scripts, I need like to bypass the NFTS security rights under the Administrator account. For example, if some user limits the access rights of folders/files to all other users including the Administrators group, these files cannot be auto-backuped (permission denied, obviously and annoyingly).

I know a few workarounds, but they are quite unacceptable for such a simple task.
1) Of course, the administrator can force ownership and change security rights in a script to force access. But I don't want to change the security rights, since I want users to maintain their ownership over the files.
2) I'm aware of 'Back up files and directories' policy in the local security policy. But that only works if you use the Backup API. I just want to use plain and simple scripts! So that's no option either.

I'm also aware that some consider this behavior a 'feature'. Well, since an administrator can always access the files, for me it's just annoying. So, I would be greatful if somebody knows a solution, tweak or whatever!

Thanks,
Bert

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Bert-Steffen Visser schrieb:

> I know a few workarounds, but they are quite unacceptable for such a
> simple task. 1) Of course, the administrator can force ownership and
> change security rights in a script to force access. But I don't want to
> change the security rights, since I want users to maintain their
> ownership over the files.
> 2) I'm aware of 'Back up files and
> directories' policy in the local security policy. But that only works if
> you use the Backup API.

When you talk about "Backup API" do you have the function
BackupRead/BackupWrite in mind?

> I just want to use plain and simple scripts! So
> that's no option either.

Have you tried CreateFile() with FILE_FLAG_BACKUP_SEMANTICS ?

Jan

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Jan Peter Stotz" <jp_news@gmx.de> wrote in message news:e5cutz1v88au.124rahspw671x$.dlg@40tude.net...
> When you talk about "Backup API" do you have the function
> BackupRead/BackupWrite in mind?
>
>> I just want to use plain and simple scripts! So
>> that's no option either.
>
> Have you tried CreateFile() with FILE_FLAG_BACKUP_SEMANTICS ?

Thanks for the hint. I was also aware of the CreateFile function. But that would imply writing an own copy/sync command line tool based on the CreateFile/BackupRead function.

I really prefer to use copy/rsync directly in my backup scripts. These are well tested and for something this simple I'd like to use an off-the-shelve solution. So I was hoping there is a security policy/tweak so that an administrator can simply access all the files (like he should be able in the first place, but well...)

greetz,
Bert

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Bert-Steffen Visser schrieb:

> Thanks for the hint. I was also aware of the CreateFile function. But
> that would imply writing an own copy/sync command line tool based on the
> CreateFile/BackupRead function.
>
> I really prefer to use copy/rsync directly in my backup scripts.

I haven't tried it but I know that the tool robocopy has an option "copy
files in Backup mode". Robocopy is part of the free W2K3 Resourcekit Tools

Jan

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Jan Peter Stotz" <jp_news@gmx.de> wrote in message news:10bcjegfqvlrn$.nduv3rxmwc00.dlg@40tude.net...
> Bert-Steffen Visser schrieb:
>
>> Thanks for the hint. I was also aware of the CreateFile function. But
>> that would imply writing an own copy/sync command line tool based on the
>> CreateFile/BackupRead function.
>>
>> I really prefer to use copy/rsync directly in my backup scripts.
>
> I haven't tried it but I know that the tool robocopy has an option "copy
> files in Backup mode". Robocopy is part of the free W2K3 Resourcekit Tools
>
> Jan

Thanks! That's the best solution I've got so far. It works. And I'll use it till I can find a bypass (if possible at all).

greetz,
Bert