question

Marcus-9726 avatar image
0 Votes"
Marcus-9726 asked FanFan-MSFT commented

Account permission required to migrate file shares

Hi,

I'm going to migrate file server to new file server in a domain environment. These are not domain controller and it is member server. As I know to migrate the file shares that account will need to be in the Backup Operators group.

I would like to know should I add the user into the Active Directory Backup Operators group or I add the user into the File Server local Backup Operators group? If I'm not mistaken the AD Backup Operators group is for domain controller only right? Please correct me if I'm wrong.

windows-server-storagewindows-server-migration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
Welcome to ask here!

As you mentioned above, members in the Backup Operators group can perform backup and restore operations on domain controllers.
We don't need to add the user into the AD Backup Operators group.
Following link for your reference:

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-backupoperators

If you want to move some folders and files, you can just grant the user enough permission to migration just on the folders on the source and destination server.

Best Regards,

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

There will be a lot of folders and files to move, basically all the data will be moving to new server. Each of them have different permission. So I am looking a way to assign permission to all for migration at once with robocopy. It seems that if I add the account into the backup operators group of that file server can achieve this. Appreciate your help to clarify this. Or any other way that could achieve this? Also as you mentioned that I could just grant the user enough permission to migration, may I know which permission should I grant to the account so that I could robocopy all the folders/files?

0 Votes 0 ·

Hi,

Based on my test, if you want to use the Robcopy to migrate the files, we have to:
On the resources we only need the read permission
On the destination where you put all the files, you should give the user write permission. For example, you want to copy the files and folders to the shared folder: migration.
You need to give the user permission as following:
Share permission: full control
NTFS permission: Write
Then can run the command successfully to run the command.
116616-image.png
IIf possible, you can take a try in your lab.

0 Votes 0 ·
image.png (52.7 KiB)

Hi there,

As I tried, it seems that for share permission I can access via \\ServerName\c$ or \\ServerName\e$ since these drive hidden shares are shared by default for account that having local admin rights to the PC. And since Domain Administrator will be added into the local administrator group of server then I believe I could just assign that account a Domain Admin right.

For NTFS, I can see that my shared folders have the permission of SERVERNAME\Administrators (Full Control). Then I think domain administrator will do the trick as well.

0 Votes 0 ·
Show more comments