Copying NTFS Security Descriptors

Windows logo Windows only


Beyond Compare 4, 3, 2.3 or newer
Windows 2000 or better
Domain Administrator or Local Administrator rights


Beyond Compare provides an option to copy NTFS security descriptors.  With it enabled, any of Beyond Compare's copy commands (copy, copy to folder, move, move to folder, and sync commands) will copy security descriptors of files on NTFS file systems under Windows 2000 or newer.  This option does not preserve permissions of files saved in the File Viewer.

BC3 logo BC version 3 or 4

In a Folder Compare or Folder Sync session, select Session Settings from the Session menu.  Go to the Handling tab.  Check Copy NTFS file permissions (requires admin rights).

BC2 logo BC version 2

To enable the copying of NTFS security descriptors, create a DWORD registry key named HKEY_CURRENT_USER\Software\Scooter Software\Beyond Compare\Settings\CopyACLs.  Setting the value to 1 will enable the feature, 0 will disable it.

Handling of Inheritance

Files and folders are copied as normal.  After each file or folder is copied, the security descriptor (owner, group, dacl, sacl) is copied.  If the source file (or folder) is set to inherit permissions from its parent, non-inherited permissions are copied and inheritable permissions from the parent on the target side are inherited.  If the source file is set to block permissions from its parent, permissions are copied from the source and no permissions are inherited from the target parent.

Known Issue - Folders with read only permissions

The current implementation does a simple copy of security descriptors immediately after a file or folder is copied.  If the folder being copied denies write access to the logged on user, Beyond Compare will copy the folder, set the deny permissions on it, and then fail to copy the contents of the folder.

Known Issue - Non-Windows NAS devices

Non-Windows network attached storage (NAS) device compatibility with Beyond Compare's Copy NTFS file permissions setting varies by manufacturer and firmware version.  If the setting is enabled but NTFS permissions fail to copy with the log showing "Unable to copy NTFS permissions", updating NAS device firmware will sometimes resolve the issue.

Known Issue - Unable to Copy NTFS Permissions

If Beyond Compare is run on a client PC or on the source server for a copy between two Windows servers, permissons may fail to copy with "Unable to copy NTFS permissions" shown in the log.  Running Beyond Compare on the target server will sometimes resolve the issue.

Copyright © 2023 Scooter Software, Inc.