Security permissions on network files and folders (UNC shares) are generally restored successfully if the user that backed up the file also restores the file and no permissions have changed.
However, problems with backups and restores can occur when access permissions to files and folder differ and are not satisifed.
The ESE Agent connects to network folders with the appropriate user determined by either of the following methods:
- The user used by the backup service. This is usually specified when the Agent is installed and is typically "Local System":
- If the user is "Local System", the "Guest" user is used on the network folder
- If the user is a custom network domain user e.g. "MYDOMAIN\John", then "John" will be used.
- The authentication credentials specified when the network folder was included in the Backup Selection:
- The username and password are used to connect to the network folder
- If no credentials are specified, the user in 1. above is used.
In this instance, file permissions are not backed up:
- The user, as described above, does not have sufficient permissions to access the file/folder.
Typically, the following error message will be logged:
"Security descriptors not accessible and will be ignored for \\[network folder]"
Considering the user usage above, note the following instances when network file/folder permissions are not restored:
- When file permissions weren't backed up successfully, the files are restored but not the security information.
- If the file/folder is outside the the user's current network domain, unless the user is a member of the "Backup Operators" group.
Tip: See this article, on how to add users to groups in Windows.
- If the file/folder is outside the the user's current network domain AND the user is not the owner of the file/folder.
- The user restoring the file/folder does not have sufficient permissions to update the destination folder.