Copying ACLs between SMB shares Edit on GitHub Request doc changes

Contributors netapp-bcammett

Cloud Sync can preserve access control lists (ACLs) between a source SMB share and a target SMB share. If needed, you can manually preserve the ACLs yourself.

Setting up Cloud Sync to automatically copy ACLs

Cloud Sync can copy ACLs between SMB shares, but you must run a deployment script on a Windows host and activate support when you create a new relationship. You can’t activate support after you create the relationship.

  1. Set up a Windows host that meets the following requirements:

    Operating system

    Windows 10 or Windows Server 2016


    8 GB


    4 cores

    • A connection to the source SMB server

    • A connection the target SMB server

    • Port 8080 must be open for inbound HTTP traffic from the data broker’s subnet.

      Be sure to open the port at the network level (security group or firewall) and at the host level (Windows Defender Firewall).

  2. Log in to the Windows host.

  3. Download the deployment script.

  4. Run the deployment script with Administrator’s privileges by right-clicking and selecting Run as administrator.

  5. From Cloud Sync, click Create New Sync Relationship.

  6. Drag and drop SMB Server to the source and target and click Continue.

  7. On the SMB Server page:

    1. Enter a new SMB server or select an existing server.

    2. Select Copy ACLs to the target and specify the IP address of the Windows host.

      A screenshot that shows the Activate Support for SMB ACL option.

    3. Enter credentials for the SMB server.

    4. Click Continue.

  8. Follow the remaining prompts to create the sync relationship.


When syncing data, Cloud Sync preserves the ACLs between the source and target SMB shares.

Manually copying ACLs

You can manually preserve ACLs between SMB shares by using the Windows robocopy command.

  1. Identify a Windows host that has full access to both SMB shares.

  2. If either of the endpoints require authentication, use the net use command to connect to the endpoints from the Windows host.

    You must perform this step before you use robocopy.

  3. From Cloud Sync, create a new relationship between the source and target SMB shares or sync an existing relationship.

  4. After the data sync is complete, run the following command from the Windows host to sync the ACLs and ownership:

    robocopy /E /COPY:SOU /secfix [source] [target] /w:0 /r:0 /XD ~snapshots /UNILOG:”[logfilepath]

    Both source and target should be specified using the UNC format. For example: \\<server>\<share>\<path>