Copying ACLs between SMB/CIFS shares Edit on GitHub Request doc changes

Contributors netapp-bcammett

Cloud Sync can preserve access control lists (ACLs) between a source SMB/CIFS share and a target SMB/CIFS share. If needed, you can manually preserve the ACLs yourself.

Setting up Cloud Sync to automatically copy ACLs

Cloud Sync can copy ACLs between SMB shares, but you must run a deployment script on a Windows host and activate support when you create a new relationship. You can’t activate support after you create the relationship.

  1. Set up a Windows host that meets the following requirements:

    Operating system

    Windows 10 or Windows Server 2016


    8 GB


    4 cores

    • A connection to the source SMB/CIFS server

    • A connection the target SMB/CIFS server

    • Port 8080 must be open for inbound HTTP traffic from the data broker’s subnet.

      Be sure to open the port at the network level (security group or firewall) and at the host level (Windows Defender Firewall).

  2. Log in to the Windows host.

  3. Download the deployment script.

  4. Run the deployment script with Administrator’s privileges by right-clicking and selecting Run as administrator.

  5. From Cloud Sync, click Create New Sync Relationship.

  6. Drag and drop CIFS Server to the source and target and click Continue.

  7. On the CIFS Server page:

    1. Enter a new CIFS server or select an existing server.

    2. Select Copy ACLs to the target and specify the IP address of the Windows host.

      A screenshot that shows the Activate Support for CIFS ACL option.

    3. Enter credentials for the CIFS server.

    4. Click Continue.

  8. Follow the remaining prompts to create the sync relationship.


When syncing data, Cloud Sync preserves the ACLs between the source and target SMB/CIFS shares.

Manually copying ACLs

You can manually preserve ACLs between SMB/CIFS shares by using the Windows robocopy command.

  1. Identify a Windows host that has full access to both SMB/CIFS shares.

  2. If either of the endpoints require authentication, use the net use command to connect to the endpoints from the Windows host.

    You must perform this step before you use robocopy.

  3. From Cloud Sync, create a new relationship between the source and target SMB/CIFS shares or sync an existing relationship.

  4. After the data sync is complete, run the following command from the Windows host to sync the ACLs and ownership:

    robocopy /E /COPY:SOU /secfix [source] [target] /w:0 /r:0 /XD ~snapshots /UNILOG:”[logfilepath]

    Both source and target should be specified using the UNC format. For example: \\<server>\<share>\<path>