Robocopy /MIR switch – mirroring file permissions

Some customers pointed out what they believe to be a bug in Robocopy.

The situation is: suppose that you copy your files using Robocopy in Windows Server 2003 or XP. Then, file or folder permissions (ACLs) are changed wither on source or destination. You want to use the /MIR switch to mirror the permissions:

> ROBOCOPY source destination /MIR  /SEC

Robocopy fails to mirror file permissions – but works for folder permissions.

This behaviour is by design. Robocopy focuses on copying just files that have changed (in size or modified date, by default). If a file looks like it has changed, Robocopy copies its data and, if you specified copying security as well, copies NTFS ACL from source to target after copying the data. If a file looks like it has NOT changed, Robocopy by default skips it, and copies nothing for the file, not even its security info.

When I wrote the “security copy” part of Robocopy on 22 May 1997, I chose to do this for performance reasons, to keep Robocopy times for large trees down. This was an adequate implementation for most peoples’ needs at the time. Also, another reason I chose to do things the way I did, is that setting security on directories is sufficient for most people. Setting security on a file-by-file basis is a more granular approach, for sure, but incurs a larger maintenance overhead, perhaps too much for many users.

Therefore, the solution listed as a workaround posted by Martin Zugec (MVP) is precisely what needs to be done in this situation, and this behaviour is expected:

> ROBOCOPY /Mir <Source> <Target>
> ROBOCOPY /E /Copy:S /IS /IT <Source> <Target>

The first Robocopy command above will copy data and security for files that have been updated, and the second Robocopy command will refresh file security for all files, without copying any file data.

If using a Resource Kit version of Robocopy, and wanting to keep security synced between two trees where the data is fairly static, but security is updated now and then. In fact, the “Copying NTFS Security Information” section of Robocopy.doc (from the Resource Kits) states:

“To refresh security information for existing destination files and directories without copying file data, use the /IS switch together with the /COPY switch without the D flag. For example /IS /COPY:SOU would refresh all security information for all selected files, without copying any file data.”

Things have moved on a bit in the past 11 years, security-wise, so I changed the way things work in this area slightly for the version of Robocopy that ended up in Vista, in that if you specify /SECFIX on the command line, Robocopy will copy security for skipped files that exist in both the source and the target trees. 

So, to maintain two trees in sync, including their security, using Vista’s Robocopy, you can use the following as your regular Robocopy command:

> ROBOCOPY <source> <target> /MIR /SEC /SECFIX

/MIR will replicate data and security (as /SEC is specified) for changed files, and /SECFIX will update just the security for unchanged files. Add /V to the command line if you want to see which files are having their security “fixed” without having their data copied.

Kevin Allen