Copying ACLs between SMB/CIFS shares Edit on GitHub Request doc changes

Cloud Sync can preserve access control lists (ACLs) between a source SMB/CIFS share and a target SMB/CIFS share. If needed, you can manually preserve the ACLs yourself.

Setting up Cloud Sync to automatically copy ACLs

Cloud Sync can copy ACLs between SMB shares, but you must run a deployment script on a Windows host and activate support when you create a new relationship. You cannot activate support after you create the relationship.

  1. Deploy a Windows 10 or Windows Server 2016 host that has connectivity to the following:

    • The source SMB/CIFS server

    • The target SMB/CIFS server

    • Port 8080 for inbound HTTP traffic from the data broker’s subnet

  2. Log in to the Windows host.

  3. Download the deployment script.

  4. Run the deployment script with Administrator’s privileges by right-clicking and selecting Run as administrator.

  5. When you create a sync relationship between two SMB/CIFS servers, select Copy ACLs to the target and then specify the IP address of the Windows host.

    This option is available when you specify the source SMB/CIFS server.

    A screenshot that shows the Activate Support for CIFS ACL option.


Cloud Sync preserves the ACLs between the source and target SMB/CIFS shares.

Manually copying ACLs

You can manually preserve ACLs between SMB/CIFS shares by using the Windows robocopy command.

  1. Identify a Windows host that has full access to both SMB/CIFS shares.

  2. If either of the endpoints require authentication, use the net use command to connect to the endpoints from the Windows host.

    You must perform this step before you use robocopy.

  3. From Cloud Sync, create a new relationship between the source and target SMB/CIFS shares or sync an existing relationship.

  4. After the data sync is complete, run the following command from the Windows host to sync the ACLs and ownership:

    robocopy /E /COPY:SOU /secfix [source] [target] /w:0 /r:0 /XD ~snapshots /UNILOG:”[logfilepath]

    Both source and target should be specified using the UNC format. For example: \\<server>\<share>\<path>