We have and Rsync server install on one of our fileservers and we pull nightly backups from it to a linux based machine that does archiving and backup rotation stuff.
Recently I've noticed that the Rsync user can not access certain files on the server. The service is running as a local user which is part of the backup operators group. I had thought that anyone in this group got full access to everything however recent results are telling me this isn't the case.
Is there anyway around this to get the rsync full access? Changing file ownership isn't an option. Adding permissions issue an option unless it can be done to all files without affecting other existing permissions.
Best Answer
Your understanding of how "Backup Operators" interacts with NTFS permissions is flawed. Members of the "Backup Operators" group can read / write bypassing permissions, but only through specific backup API functions that rsync isn't using.
Rsync uses "normal" filesystem API functions, so the user rsync runs as is going to have to have access to read every file you intend to back up. There's no way around it w/o changing code in rsync.
Depending on how you've architected your permission hierarchies you may be able to add another ACE to your permissions for your rsync user (ideally, a group that the rsync user is a member of-- perhaps the only member-- rather than a user) to read the files. If you've blocked permission inheritance (which Microsoft doesn't seem to discourage strongly enough for just this kind of reason) then you've got a mess and you'll have to grant that permission at every root of permission inheritance along the hierarchy.
If your existing permission hierarchies already contain a suitable group (like, say, "Administrators"), you could take the seductive shortcut of adding the rsync user to the "Administrators" group. Obviously, a bug in rsync that allows an unprivileged user to execute code in the rsync user's context would be very, very bad such a case, so weigh the risks carefully.