U-Tools: Unique Tools for Windows System Administrators
U-Move Help

Warning: Damaged ACL found

The Access Control List (ACL) is a list of security permissions that determine what users or groups are allowed to access a file or a folder. Every file/folder has an associated ACL. The warning message means that the ACL permissions for a folder appear to be incorrect or damaged.

On the source computer: This error means that a system folder (for example, C:\Windows\System32 or C:\Windows\Sysvol) contains a damaged ACL entry. The ACL for the folder may have been inadvertently reset by the administrator with Windows Explorer.

The ACL entry should be fixed before backup (see below). Otherwise Active Directory may not function correctly when the backup is loaded on the destination computer.

On the destination computer: This error means the staging folder contains a damaged or incorrect ACL entry. This is usually due to an improper manual transfer of the staging folder where the ACL permissions were not copied correctly to the destination computer.

How to Fix This Error On The Source Computer

To fix this error on the source computer you need to manually restore the missing ACL entry for the system folder before backing up Active Directory. The error message will indicate the name of the missing group.

The following procedure will add an entry to the ACL to a folder:

  1. Press WIN+R.
  2. In the Open box type explorer and click OK. This will open Windows Explorer.
  3. Find the damaged folder and right-click on it.
  4. In the popup menu click on Policies and select Sharing and Security...
  5. Click on the tab Security.
  6. Click on the button Edit..
  7. Click on the button Add..
  8. Click on the button Object Types...
  9. Check the box for Groups. Uncheck all other boxes and click Ok.
  10. Click the button Advanced (lower left corner).
  11. Click the button Find now (right side).
  12. Scroll down and find the name of the missing group. (The language may vary.) Click on the name so it is highlighted.
  13. Click Ok. This will add the name to the selection box.
  14. Click Ok again. This will add the name to the list "Group or user names“.
  15. Check the box Full control or Read (as applicable) under Allow, and click Ok. This will update the ACL entry.

In rare cases U-Move may report that the ACL is not protected against inheritance from the parent folder. The following procedure will turn off inheritance on a folder:

  1. Press WIN+R.
  2. In the Open box type explorer and click OK. This will open Windows Explorer.
  3. Find the damaged folder and right-click on it.
  4. In the popup menu click on Policies and select Sharing and Security...
  5. Click on the tab Security.
  6. Click on the button Advanced
  7. Clear the first checkbox: Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here. Verify that the box is not checked and click Ok.
  8. A dialog box will pop up. Click on Copy.
  9. Click Ok to close the remaining dialog boxes.

The above procedures should be used only on the source computer. Do not use the above procedures on the destination computer. Instead re-copy the staging folder (see next section).

How to Fix This Error On The Destination Computer

To fix this error on the destination computer, you need to re-copy the staging folder so that the security settings are preserved unchanged from the source computer. The ACLs must be copied correctly for Active Directory to load successfully.

The best way to guarantee that ACLs are copied correctly is to use a .BKF file. If you must do a manual transfer, use a utility that preserves ACLs. For example use XCOPY /B /O.

Overriding the Warning Message

The only time you should override this warning message is when you are restoring AD from a 3rd-party backup utility that you know contains a damaged ACL from the source computer. Do not override this warning message when doing a manual transfer, as the ACL damaged probably happened on the destination computer. You must correctly copy the ACL permissions from the source computer to the destination computer in order for Active Directory and the Group Policy files in SYSVOL to load successfully.

How to override this warning