Windows BackupRead / BackupWrite和ACL [英] Windows BackupRead / BackupWrite and ACLs
问题描述
我一直在尝试了解使用BackupRead和BackupWrite备份计算机上的数据,尤其是可靠地还原数据的正确方法。
I have been trying to understand what should be the right way in using BackupRead and BackupWrite for backing up data on a computer and especially about restoring it reliably.
现在我了解如何使用API,并获得了成功。但是有一件事困扰着我。
除了文件内容本身之外,您还可以备份任何备用数据流以及安全信息(ACL)。
Now I understand how to use the API and have been successful. However there's one thing that bothers me. You can backup, beside the file content itself, any alternate data streams also the security information (ACLs).
现在,如果我要存储以下内容的ACL数据:备份,然后再备份,一旦需要在其他计算机或新设置的计算机上还原数据,我应该如何处理与ACL相关的SID?
SID很可能对机器不再有效,应如何选择合适的用户?
现在,我将更大规模地看待这台计算机,它是一台具有多个用户以及成百上千个具有不同设置的对象的计算机,要再次将安全性设置应用于他们,要恢复数据将是一团糟。
Now if I would store the ACL data for backup and then later, once the data needs to be restored on a different machine OR a newly setup machine what should I do with the SIDs which are related to the ACL? The SID is most likely no longer valid for the machine and how should the right user be selected? Now I am looking at this on a bigger scale let's say this is a computer with multiple users and hundreds or thousands of objects with different settings this would be mess to get the data restored with the security settings applied to them again.
是这样的事情吗,如果软件用户希望备份安全设置,用户必须采取什么措施并据此进行更新?
Is this something, if the user of the software wishes to backup the security settings, what the user has to take about himself and update them accordingly or what?
另外,BackupRead和BackupWrite会为我提供这些项的原始二进制数据,这些二进制数据并不是很难使用,但是显然,该API甚至都不打算面对这个问题。
Additionally BackupRead and BackupWrite will give me the raw binary data of those items which is not all too hard to use however obviously this API does not even intend to face this issue.
任何人都知道备份应用程序应如何处理这种情况?您的想法是什么,或对该特定主题的指导方针有什么建议?
Anyone has an idea how a backup application should handle this situation? What is your thought, or any pointers on guidelines for this specific topic?
非常感谢。
推荐答案
我认为您正确理解了数据备份和还原的问题。我认为正确理解问题是解决问题的一半。我想像大多数stackoverflow网站用户一样,您是软件开发人员,而不是大型网络的管理员。因此,您从软件开发人员的另一端而不是管理员的角度看问题。管理员知道ACL备份和还原的限制并已经使用。
I think you understand correctly the problems with backup and restore of data. I think that correct understanding of problems is a half of its solving. I suppose that you are, like the most of users of the stackoverflow site, mostly software developer and not an administrator of a large network. So you see on the problem from another side of software developer and not from the side of the administrator. An administrator knows the restrictions of backup and restore of ACLs and already use it.
通常,您应该了解备份的主要目的是保存数据并还原ACL。以后在同一台计算机上存储数据。另一种标准情况是:更换硬件后,将还原备份从一台服务器还原到另一台服务器。在这种情况下,旧服务器将不再存在。多数情况下,会备份服务器并组织其在客户端上工作,这样,不会重要数据将被保存在客户端计算机中。
In general you should understand that the main purpose of backups to save the data and to restore the data later on the same computer or server. Another standard case is: one restore backup from one server to another server after the changing of hardware. In the case the old server will no more exist. Mostly one makes backups of servers and organize to work on the clients so, that no important data will be saved of the client computer.
在大多数情况下,备份的数据具有域组SID,域用户SID,众所周知的SID 或来自安全描述符中 BUILTIN 域的SID别名。在这种情况下,根本不需要更改SID。如果管理员愿意在ACL中进行某些更改,则他可以使用其他现有实用程序,例如 SubInACL.exe 。
In the most cases the backed up data has Domain Groups SIDs, Domain Users SIDs, well-known SIDs or SID aliases from the BUILTIN domain in the security descriptors. In the case one need make no changes of SIDs at all. If the administrator do will make some changes in ACL he can use different existing utilities like SubInACL.exe.
如果编写要用于的备份/还原软件使用安全信息移动数据,您可以在备份中包括一些有关已保存的安全描述符中使用的帐户/组的本地SID的其他元信息。在还原软件中,您可以提供从保存的安全描述符中替换SID的可能性。多年前,我为一位大客户写了一些实用程序,用于在域迁移后清除文件系统,注册表和服务中SD中的SID。它并不那么复杂。因此,我建议您可以在备份/还原软件中实现相同的功能。
If you write Backup/Restore software which you want use for moving the data with the security information you can include in the backup some additional meta-information about the local SIDs of accounts/groups used in the saved security descriptors. In the Restore software you can provide the possibilities to replace SIDs from the saved security descriptors. Many year ago I wrote for one large customer some utilities to clear up the SIDs in SD in the file system, registry and services after domain migration. It was not so complex. So I suggest that you could implement the same feature in you Backup/restore software.
这篇关于Windows BackupRead / BackupWrite和ACL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
