Robocopy /COPY:DATSOU Explained: What Each Flag Means
What does robocopy /COPY:DATSOU mean? A quick breakdown of each flag, Data, Attributes, Timestamps, Security, Owner, Auditing, and when to use /COPYALL vs /COPY:DAT.
Quick answer
/COPY:DATSOU tells Robocopy to copy Data, Attributes, Timestamps, Security (NTFS ACLs), Owner, and aUditing info. It’s identical to /COPYALL. The default is /COPY:DAT, which skips permissions, ownership, and auditing.
What does robocopy /COPY:DATSOU mean?
/COPY:DATSOU is the Robocopy copyflags string that copies every file property: Data, Attributes, Timestamps, Security (NTFS ACLs), Owner, and aUditing (SACL). It is the same as /COPYALL. Each letter is one copyflag, and you combine them in any order. The default when you omit /COPY is DAT (data, attributes, timestamps), which leaves permissions, ownership, and auditing behind.
Here is what each /COPY letter copies, per the official Microsoft Robocopy reference:
| Letter | Copyflag | What it copies | In default DAT? |
|---|---|---|---|
| D | Data | File contents (the bytes) | Yes |
| A | Attributes | Read-only, hidden, system, archive flags | Yes |
| T | Time stamps | Created, modified, accessed times | Yes |
| S | Security | NTFS access control list (ACL), the DACL that controls who can read, write, and execute | No |
| O | Owner information | The file owner (which user or group owns the file) | No |
| U | aUditing information | The SACL, audit entries that record who accessed the file | No |
| X | Skip alt data streams | Excludes NTFS alternate data streams (rarely used) | No |
So the shorthand you may have typed maps like this: /COPY:DAT is the default, /COPY:DATS adds NTFS ACLs (same as /SEC), /COPY:DATSO adds the owner, and /COPY:DATSOU adds auditing on top, which is /COPYALL. Letter order does not matter, so datsou, DATSOU, and DATSO followed by U all parse the same way.
Common /COPY combinations
| Command | Equivalent | What gets copied |
|---|---|---|
/COPY:DAT | default | Data, attributes, timestamps |
/COPY:DATS | /SEC | The above plus NTFS ACLs (security) |
/COPY:DATSO | none | The above plus owner |
/COPY:DATSOU | /COPYALL | Everything, including auditing (SACL) |
What about /DCOPY:DAT?
/COPY controls file properties. /DCOPY controls directory properties, and it uses its own letters: D (data), A (attributes), T (time stamps), E (extended attributes), and X (skip alt data streams). The Microsoft default for /DCOPY is DA (data and attributes), so directory timestamps are not preserved unless you ask for them. /DCOPY:DAT adds the T so folder created and modified times survive the migration too. Note that /DCOPY:E is not part of /COPYALL, so add it explicitly if you need directory extended attributes.
For migrations, use /COPYALL plus /DCOPY:DAT
For a server-to-server NAS or file-share migration, /COPY:DATSOU (or /COPYALL) preserves permissions, ownership, and auditing on files, and pairing it with /DCOPY:DAT preserves directory timestamps that the DA default would drop. You also need elevated rights for S, O, and U, see the requirements below. Not sure which flags fit your scenario? Build and explain a full command with our interactive Robocopy and rsync command builder.
The Flags
Each letter in /COPY:DATSOU controls a different file property:
| Letter | Property | What It Copies | Default? |
|---|---|---|---|
| D | Data | File content (bytes) | Yes |
| A | Attributes | Read-only, hidden, system, archive flags | Yes |
| T | Timestamps | Created, modified, accessed times | Yes |
| S | Security | NTFS ACLs (who can read/write/execute) | No |
| O | Owner | File owner (which user/group owns the file) | No |
| U | Auditing | SACL entries (who accessed what, for compliance) | No |
The default /COPY:DAT copies content, attributes, and timestamps. Everything else is skipped unless you ask for it.
Common Combinations
| Command | What Gets Copied | Use Case |
|---|---|---|
/COPY:DAT | Data + attributes + timestamps | Simple file copy, no permissions |
/COPY:DATS or /SEC | + NTFS ACLs | Copy with permissions preserved |
/COPY:DATSO | + ACLs + owner | Copy with permissions and ownership |
/COPY:DATSOU or /COPYALL | Everything | Full server migration with audit trail |
When Do You Need Each Flag?
Just /COPY:DAT (default)
- Copying files to a USB drive
- Moving data between personal folders
- Any scenario where permissions don’t matter
Add /S (Security)
- Migrating between file servers in the same domain
- Copying departmental shares where ACLs control access
- Any migration where “who can access what” must be preserved
Add /O (Owner)
- Migrating to a new server where file ownership matters for quotas
- Compliance scenarios where you need to prove who created a file
- Multi-department shares where ownership determines responsibility
Full /DATSOU (COPYALL)
- Production file server migrations
- Compliance-regulated environments (healthcare, finance, legal)
- Any scenario where you need an exact 1:1 replica of the source
Requirements
/COPY:DATSOU requires elevated privileges:
- S (Security): The account needs “Manage Auditing and Security Log” privilege, or run as Domain Admin
- O (Owner): Requires “Restore Files and Directories” privilege, or use
/B(backup mode) - U (Auditing): Requires “Manage Auditing and Security Log” privilege
If you don’t have the right privileges, Robocopy will silently skip what it can’t copy. Always check the log file for “ACCESS DENIED” entries.
Robocopy won't tell you it skipped permissions
If Robocopy can’t copy security or ownership, it may continue without error. Your files arrive on the destination with default permissions instead of the source permissions. Always verify with icacls or the Security tab in Explorer after copying.
The Full Command
A production-ready Robocopy command for file server migration:
robocopy \\oldserver\data \\newserver\data /MIR /COPY:DATSOU /DCOPY:DAT /MT:16 /R:3 /W:5 /LOG:C:\logs\migration.log /TEE /NP
| Flag | Purpose |
|---|---|
/MIR | Mirror mode (sync + delete) |
/COPY:DATSOU | All file properties |
/DCOPY:DAT | Directory timestamps and attributes too |
/MT:16 | 16 parallel threads |
/R:3 /W:5 | 3 retries, 5 second wait (not the default 1 million retries) |
/LOG + /TEE | Log to file and console |
/NP | No per-file percentage (cleaner logs) |
What Robocopy Can’t Do
Even with /COPYALL, Robocopy has limits:
- No checksum verification: It copies the bytes but doesn’t prove they arrived intact. “No errors” is not the same as “verified.”
- No cross-protocol support: Robocopy only speaks SMB. If your destination is NFS or S3, you need a different tool.
- No centralized monitoring: Each Robocopy job is a standalone command. No dashboard, no aggregate progress view.
- Share-level permissions are not copied:
/COPY:DATSOUcopies NTFS ACLs, not share permissions. UseGet-SmbShare/New-SmbShareseparately.
Need verification and cross-protocol support?
syncopio copies files across NFS, SMB, and S3 with per-file checksum verification, NTFS ACL preservation, and a real-time web dashboard. No scripting required.
Related
- Robocopy for IT Admins: Scheduled Backups, Mirroring & Beyond, the full guide
- rsync vs rclone vs Robocopy: Which Tool in 2026?, head-to-head comparison
- Directory Permissions After Migration: What Breaks and How to Fix It, permission pitfalls across platforms
- Data Migration Compliance Checklist, for regulated environments