We have a network share where the NTFS folder permissions indicate a particular user is being denied access and that this permission is being inherited from the parent folder. However, the parent folder has no ACE for this user.
How can this be?
Asked
Active
Viewed 243 times
3 Answers
2
This can happen one of two ways, in my experience:
- As Shane pointed out, the file was moved from another directory on the same volume/share. Rights are not reset in this instance.
- Someone removed the Deny right from a higher level in the directory tree, but hit "cancel" during the (potentially very long) process of propagating that rights change to every object below that point. Files that hadn't been reached yet will show exactly what you're seeing.
The there is a third way, but it's manifestation changes: the file was restored from backup and the restore didn't reset inherited rights.
sysadmin1138
- 131,083
- 18
- 173
- 296
-
Good point on the cancelled propagation. – Shane Madden Jul 16 '11 at 17:12
1
Was the directory moved?
Some Microsoft engineer's brilliant idea was that inherited permissions should be retained through a move, even if the directory is no longer in the scope of the inheritance.
The ACE will then say that it's inherited from "parent," instead of displaying the exact directory where the ACE is defined.
Apparently that behavior made sense in Redmond. See this question for reference.
Shane Madden
- 112,982
- 12
- 174
- 248
1
I'm wondering if anyone on Win 2003 Server has tried to create the registry setting MoveSecurityAttributes as suggested in this Microsoft article? This purportedly forces the object to inherit the permissions of the destination folder parent.
Chum
- 13
- 1
- 3