EVO version 7 adds optional Windows-style ACL permission management, to allow for file/folder-level user access.
These permissions are stored alongside the content on EVO, and when copying content elsewhere (for example, via Slingshot replication), new files are written at the destination, which may have its own users and permissions to consider.
While the permissions therefore will not travel with the files, it is possible to extract and apply the same ACLs to another EVO location.
This article explains how to backup an EVO share’s ACL data using Microsoft’s Backup-ACL utility, and to import them to another EVO location.
Requirements
- Windows Server 2022 with Administrator access
- EVO v.7.x
- Brief remote session with the SNS support team.
Install Windows Server Backup
- Log in to your Windows Server as Administrator.
- Open Server Manager and click Add Roles and Features.
- Before You Begin, click Next.
- Installation Type, click Next.
- Server Selection, select the server, then click Next.
- Server Roles, click Next.
- Features, select Windows Server Backup, then click Next.
- Confirmation, click Install.
- Once complete click Close.
Prepare EVO
Assign an EVO user to the Administrators local group.
- Navigate to the EVO Administration UI (#/login) as admin.
- Navigate to Users (#/users).
- Click Add User.
- Enter a username + password (in this example the username will be “backup”) and add the user.
- Select the user and choose Edit User's Groups located in the Actions menu.
- Click the dropdown menu for Assign group to user and select Administrators from the list.
- Once the local group Administrators appears under the user click Close.
- There is no need to assign this user permissions for any share.
Note: At this stage, we will need to access the server to make essential modifications in preparation for the ACL backup process. This procedure is expected to be brief; however, a service restart will be needed to proceed. This will require a momentary connection interruption to all shares, or the change can be made at any time, and the system can be rebooted when convenient for it to take effect. Please contact our support team and reference “EVO-4939”.
Note: Be sure to mount the share(s) using the same drive letter when backing up and when restoring, since the XML file saves the drive letter information.
Use Backup-ACL
- Log in to your Windows Server as Administrator (or with administrator privileges).
- On the Desktop create a new folder “Backup-ACL-Logs”.
- Mount the target share to Windows Server that you wish to backup ACL information from; use the credentials for the backup user that you previously created in EVO.
- Open File Explorer.
- In File Explorer click on This PC in the left navigation pane.
- Click Computer in the top menu and select Map network drive.
- Choose a drive letter from the dropdown menu (in this example the driver will be “Z:”).
- Important: You must use the same drive letter you selected here when later restoring ACL permissions.
- In the Folder field enter the path to the share you want to backup ACL information from, for example: \\192.168.1.25\sharename
- Check the Connect using different credentials checkbox.
- Click Finish and use the credentials for the backup user that you previously created in EVO.
- Open PowerShell.
- If you wish to backup the entire share’s ACLs use the command:
- Backup-ACL -Path "Z:\" -DestinationPath "$home\Desktop\share-acl-backup.xml" -LogPath "$home\Desktop\Backup-ACL-Logs"
- If you wish to backup a single directory’s ACLs use the command:
- Backup-ACL -Path "Z:\directory" -DestinationPath "$home\Desktop\share-directory-acl-backup.xml" -LogPath "$home\Desktop\Backup-ACL-Logs"
- Wait for the process to complete (“Backup permissions for Z: complete!”)
- The .xml file on the Desktop contains the ACL information that was backed up.
- Unmount the share by right-clicking on it in File Explorer and selecting Disconnect.
To restore ACL permissions to another EVO share, start by creating a new share. Next, copy the directory or share data (files and folders) that previously had its ACL information backed up, to the new share. Then use Restore-ACL with the .xml file you previously created that contains the backed up ACL information.
Use Restore-ACL
- Login to your Windows Server as Administrator (or with administrator privileges).
- On the Desktop verify the folder “Backup-ACL-Logs” exists, if not create it.
- Mount the target share to Windows Server that you wish to restore ACL information to; use the credentials for the backup user that you previously created in EVO.
- Open File Explorer.
- In File Explorer click on This PC in the left navigation pane.
- Click Computer in the top menu and select Map network drive.
- Choose a drive letter from the dropdown menu (in this example the driver will be “Z:”).
- Important: You must use the same drive letter you previously selected when ACL permissions were backed up.
- In the Folder field enter the path to the share you want to restore ACL information to, for example: \\192.168.1.25\sharename
- Check the Connect using different credentials checkbox.
- Click Finish and use the credentials for the backup user that you previously created in EVO.
- Open PowerShell as Administrator (or with administrator privileges).
- If you wish to restore the entire share’s ACLs use the command:
- Restore-ACL -Path "Z:\" -XmlPath "$home\Desktop\share-acl-backup.xml" -LogPath "$home\Desktop\Backup-ACL-Logs"
- If you wish to restore a single directory’s ACLs use the command:
- Restore-ACL -Path "Z:\directory" -XmlPath "$home\Desktop\share-acl-backup.xml" -LogPath "$home\Desktop\Backup-ACL-Logs"
- Wait for the process to complete (“Restore permissions for Z: complete!”)
- Unmount the share by right-clicking on it in File Explorer and selecting Disconnect.
- Verify the share’s permissions are correctly restored via File Navigator in the EVO UI.
Note: If a file is not found, errors are displayed in the console. However, the propagation of permissions will not be interrupted, and existing folders/files will have the ACL applied.
Note: In cases where an ACE remains for a user/group, but the user/group no longer exists, the ACE will still be restored, but the SID will be displayed instead of a user/group name.