none
Permission settings on a folder not being respecetd

    Question

  • I have a windows server 2k8 SP2 based file server which has various shared folders setup. These are setup so you have:

    site - dept - subfolders

    Access Based Enumeration is employed so that users can only see the folders they have access to. Most of the sites access the folders via Terminal Servers but a user at each site has direct access from their PC to site - dept - subfolder - transfer so that they can transfer edited pictures onto the file server into this one directory and then move them into site - dept - subfolder - pictures from site - dept - subfolder - transfer.

    This works fine for all sites except one. The problem is that for one site when they transfer the pictures they do not take on the permissions set on the folder they are being transferred into.

    All sites are set the same for this.

    Why is one folder not working as it should with the permissions?

     

    Friday, July 09, 2010 11:06 AM

Answers

  • >>This works fine for all sites except one. The problem is that for one site when they transfer the pictures they do not take on
    >>the permissions set on the folder they are being transferred into.

    This sounds like the typical Copy-vs-move or Same-Disk-vs-Different-Disk (volume) copy issue.

    http://support.microsoft.com/kb/310316

    Summary:

    1) On Copy (regardless of same or different disks), the permissions are always inherited from the target folder

    2) On Move (different disks/volumes), the permissions are always are always inherited from the target folder

    3) On Move (same disk/volume), the permissions are always moved as well.

    4) This behavior of Windows Explorer can be overwritten using the following registry setting

    ForceCopyAclwithFile

    Options 3 and 4 are the most likely cause.

     

     

    • Marked as answer by COTAL1 Friday, July 16, 2010 10:10 AM
    Wednesday, July 14, 2010 9:25 PM

All replies

  • Hi,

    To better understand your problem, could you let us know your detailed configuration so that we can reproduce this problem on our side? And let us know the detailed result of the file moving and what was expected?

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, July 12, 2010 6:34 AM
    Moderator
  • Can you clarify what addition information you need please
    Monday, July 12, 2010 7:15 AM
  • Hi,

    Is this dept folder is at same level as other dept folders?

    Can you please check the advanced security settings for the folder,ie, is it applied to This folder,subfolders and files?

    Regards,

    Ranjith

    Monday, July 12, 2010 11:50 AM
  • Folder is at same level down as other folders thnat behave. Security settings are set correctly
    Monday, July 12, 2010 12:30 PM
  • May be I'm not getting the scenario right..

    Can you check the effective permission of the file for one of the users on the source and after transferring to transfer folder?

    Monday, July 12, 2010 12:37 PM
  • Before move rights on the computer to the file are domainuser, afetr move to transfer folder rights are domainuser and transfer security group. After move on the server from transfer to dept rights are still domain user and transfer security group. dept group does not get added to the security
    Monday, July 12, 2010 1:53 PM
  • Hi,

    Please help to collect information for research:

     cacls PathOfSubfolder >>ntfs.txt
     cacls pathOfTransfer >>ntfs.txt
     cacls PathOfDept >>ntfs.txt
     
    And let us know which was missing in the ACL list. If you would like other community member to analyze the report, you can paste the content of ntfs.txt here, if not, you can send the file to tfwst@microsoft.com.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, July 13, 2010 2:08 AM
    Moderator
  • PathOfTrasnfer

    f:\public2\xxxx\Transfer XXX\admin:(OI)(CI)F
                                 CREATOR OWNER:(OI)(CI)(IO)F
                                 NT AUTHORITY\SYSTEM:(OI)(CI)F
                                 BUILTIN\Administrators:(OI)(CI)F
                                 XXX\site - Transfer:(OI)(CI)F

    PathOFDept

    f:\public2\xxxx\technical\Photos XXX\admin:(OI)(CI)F
                                         CREATOR OWNER:(OI)(CI)(IO)F
                                         NT AUTHORITY\SYSTEM:(OI)(CI)F
                                         BUILTIN\Administrators:(OI)(CI)F
                                         XXX\site - Technical:(OI)(CI)F
                                         XXX\serveradmin:(OI)(CI)(ID)F
                                         CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                         NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
                                         BUILTIN\Administrators:(OI)(CI)(ID)F
                                         XXX\site - Technical:(OI)(CI)(ID)(special access:)                                                                          DELETE
                                                                              READ_CONTROL
                                                                              WRITE_DAC
                                                                              SYNCHRONIZE
                                                                              FILE_GENERIC_READ
                                                                              FILE_GENERIC_WRITE
                                                                              FILE_GENERIC_EXECUTE
                                                                              FILE_READ_DATA
                                                                              FILE_WRITE_DATA
                                                                              FILE_APPEND_DATA
                                                                              FILE_READ_EA
                                                                              FILE_WRITE_EA
                                                                              FILE_EXECUTE
                                                                              FILE_DELETE_CHILD
                                                                              FILE_READ_ATTRIBUTES
                                                                              FILE_WRITE_ATTRIBUTES

    Tuesday, July 13, 2010 7:51 AM
  • >>This works fine for all sites except one. The problem is that for one site when they transfer the pictures they do not take on
    >>the permissions set on the folder they are being transferred into.

    This sounds like the typical Copy-vs-move or Same-Disk-vs-Different-Disk (volume) copy issue.

    http://support.microsoft.com/kb/310316

    Summary:

    1) On Copy (regardless of same or different disks), the permissions are always inherited from the target folder

    2) On Move (different disks/volumes), the permissions are always are always inherited from the target folder

    3) On Move (same disk/volume), the permissions are always moved as well.

    4) This behavior of Windows Explorer can be overwritten using the following registry setting

    ForceCopyAclwithFile

    Options 3 and 4 are the most likely cause.

     

     

    • Marked as answer by COTAL1 Friday, July 16, 2010 10:10 AM
    Wednesday, July 14, 2010 9:25 PM

  • I agree with Gunner999, could you verify if this was the behavior explained by Gunner999? If there is anything we can do for you, please let us know.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 16, 2010 1:48 AM
    Moderator
  • I found that ForceCopyACLwithFile is broken in Vista/7/8/2008/2008 R2/2012. It only retained all ACLs in XP/2003. Anyone can confirm?
    Sunday, July 14, 2013 12:46 PM