Using XCOPY /O to Copy Data and ACLs

If you're tempted to use the XCOPY command with the /O switch to copy data and ACLs across servers, you need to know that unless you're using accounts or groups from a trusted domain in each ACL, the permission copy operation just isn't reliable. If you follow the Microsoft best practice for Windows NT environments —which states that all users should go into global groups, global groups should go into local groups, and you assign permissions to resources through those local groups—XCOPY /O simply doesn't work very well.

If you investigate an ACL that you apply to a test directory by using XCOPY /O to copy the ACL, you'll see an access control entry (ACE) with the proper group name, but that ACE won't be valid—especially if a local group might not exist on the machine to correspond with the ACE. Adding a new group of the same name does nothing: ACEs are defined within ACLs as SIDs, not actual names. For most situations, XCOPY /O just isn't robust enough to help assign permissions to the migrated files when you're performing a data-migration operation.