From c0a1b9ada51f0d4f03ebd05e45b18b72c1c1142d Mon Sep 17 00:00:00 2001
From: Aneesh Nireshwalia <99904+aneesh-n@users.noreply.github.com>
Date: Sat, 24 Feb 2024 13:28:18 -0700
Subject: [PATCH] Update docs for security descriptors

---
 changelog/unreleased/pull-4611 | 2 +-
 doc/040_backup.rst             | 7 ++++++-
 doc/050_restore.rst            | 5 +++++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/changelog/unreleased/pull-4611 b/changelog/unreleased/pull-4611
index 940de9c26..a3c7a24d0 100644
--- a/changelog/unreleased/pull-4611
+++ b/changelog/unreleased/pull-4611
@@ -1,7 +1,7 @@
 Enhancement: Back up windows created time and file attributes like hidden flag
 
 Restic did not back up windows-specific meta-data like created time and file attributes like hidden flag.
-Restic now backs up file created time and file attributes like hidden, readonly and encrypted flag when backing up files and folders on windows.
+Restic now backs up file created time and file attributes like hidden, readonly and encrypted flag when backing up files and folders on Windows.
 
 https://github.com/restic/restic/pull/4611
 
diff --git a/doc/040_backup.rst b/doc/040_backup.rst
index d0bd4b2e2..b697e38bd 100644
--- a/doc/040_backup.rst
+++ b/doc/040_backup.rst
@@ -481,12 +481,17 @@ written, and the next backup needs to write new metadata again. If you really
 want to save the access time for files and directories, you can pass the
 ``--with-atime`` option to the ``backup`` command.
 
+Backing up full security descriptors on windows is only possible when the user 
+has ``SeBackupPrivilege``privilege or is running as admin. This is a restriction 
+of windows not restic.
+If either of these conditions are not met, only the owner, group and DACL will 
+be backed up.
+
 Note that ``restic`` does not back up some metadata associated with files. Of
 particular note are:
 
 * File creation date on Unix platforms
 * Inode flags on Unix platforms
-* File ownership and ACLs on Windows
 
 Reading data from a command
 ***************************
diff --git a/doc/050_restore.rst b/doc/050_restore.rst
index 916b11c86..5ab0286f1 100644
--- a/doc/050_restore.rst
+++ b/doc/050_restore.rst
@@ -72,6 +72,11 @@ Restoring symbolic links on windows is only possible when the user has
 ``SeCreateSymbolicLinkPrivilege`` privilege or is running as admin. This is a
 restriction of windows not restic.
 
+Restoring full security descriptors on windows is only possible when the user has
+``SeRestorePrivilege``, ``SeSecurityPrivilege`` and ``SeTakeOwnershipPrivilege`` 
+privilege or is running as admin. This is a restriction of windows not restic.
+If either of these conditions are not met, only the DACL will be restored.
+
 By default, restic does not restore files as sparse. Use ``restore --sparse`` to
 enable the creation of sparse files if supported by the filesystem. Then restic
 will restore long runs of zero bytes as holes in the corresponding files.