Go Premium for a chance to win a PS4. Enter to Win


File security, moving files

Posted on 2002-07-10
Medium Priority
Last Modified: 2012-05-05
Dir1 has ACL of name1, with new inheritance
Dir2 has ACL of name2, with new inheritance
If i move a directory "test" from dir1 to dir2,
where does the directory test inherit its ACL security from ? dir1 or dir2 ??
Seems to me to be from old parent dir1, isnt this messy??
Question by:Gunsen
  • 6
  • 3
  • 3
  • +3
LVL 17

Accepted Solution

mikecr earned 800 total points
ID: 7143104
Files and folders will always inherit permissions from the root folder that they are copied/moved into, if, they are moved from one partition to another. However, if they are moved within the same partition they keep their permissions.

Expert Comment

ID: 7143120
"Test" will maintain it's permissions from 'dir1' after being moved because the inherited permissions are not automatically updated.  The permissions will not be changed until the next time the parent propagates its permissions, which occurrs when permissions are changed or when inheritance is disabled and then re-enabled for the parent directory. Either of these two actions forces the parent to propagate its permissions.  

So the bottom line is:  'Test' will inherit it's permissions from 'Dir2', however this inheritance will not take place until the next time permissions for the parent directory are propagated.

Hopefully this will help you out!
LVL 17

Expert Comment

ID: 7143197
Keep in mind Jehob that if the box is unchecked on the original folder to inherit permissions from parent, permissions won't be inherited from anywhere as long as it is on the same partititon. Only if moved to another partition will this take effect. You would need to reset and propagate permissions on the whole directory structure to overcome this.
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.


Expert Comment

ID: 7143213
Thanks mikecr!  That's a very good point and a possiblity that I had not even considered.

Author Comment

ID: 7143214
This shows that moving (on same volume as was my case) is a feature by design.

Anybody a good practical approach on how to avoid keeping the permissions from Dir1/folder1 ?
LVL 17

Expert Comment

ID: 7143242
So after you copy the folder you want it to inherit the permissions of the destination, correct? Off the top of my head I wouldn't know how to automate this but you could go into the folder after it's copied and uncheck then recheck the box to inherit permissions from parent. I'll see if there is a resource kit tool or something that might help.
LVL 17

Expert Comment

ID: 7143286
I found this in the Windows 2000 Resource kit. You could create a batch file to run it with paramaters each time that you move a folder and need it to reset the permissions.

XcAcls Syntax

Open command prompt now.


xcacls filename [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec [...]] [/D user [...]] [/Y]


indicates the name of the file or directory to which the access control list (ACL) or access control entry (ACE) should be applied. All standard wildcard characters can be used.
recursively walks through the current directory and all its subdirectories, applying the chosen access rights to the matching files and/or directories.
edits the ACL instead of replacing it. If you specify the following command line:

XCACLS test.dat /G Administrator:F

only the Administrator has access to TEST.DAT. All ACEs applied earlier are lost.
causes XcAcls to continue if an "access denied" error occurs. If /C is not specified, XcAcls stops on this error.
/G user:perm;spec
grants access to user to the matching file or directory. The perm variable applies the specified access right to files and represents the special file-access-right mask for directories. The Perm variable accepts the following values:
Change (write)
Full Control
Change Permissions (special access)
Take Ownership (special access)
EXecute (special access)
REad (Special access)
Write (Special access)
D Delete (Special access)
The spec variable applies only to directories, and accepts the same values as perm, with the addition of the following special value:

NoT Specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right has to follow. Entries between ; and T will be ignored.


The access options for files (for directories, special file access and special directory access) are identical. For detailed explanations of these options, see the Windows 2000 operating system documentation.
All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights like LIST or READ.

/R user
revokes all access rights for the specified user.
/P user:perm;spec
replaces access rights for user. The rules for specifying perm and spec are the same as for the /G option. See XcAcls Examples.
/D user
denies access to the file or directory for user.
disables confirmation when replacing user access rights. By default, CACLS asks for confirmation. Because of this feature, when CACLS is used in a batch routine, the routine hangs until the right answer is entered. The /Y option was introduced to avoid this confirmation, so XcAcls can be used in batch mode.

Expert Comment

ID: 7143306
There seems to be no real "practical" approach to automating the process available from Microsoft, however you can use VBS to accomplish this.  The article below shows how you can use a VBScript to automate this process:


Personally I am not real familiar with VB script so I would probably just stick with the manual approach of unchecking and rechecking the box to inherit permissions, but that's just me!

Author Comment

ID: 7143343
Well actually i have 4000 directories (that is parental directories like Dir1, with inheritable ACL for all subdirectories) in a world-wide wan, and its the end-users that do the copying!  So hope for a good solution to this....(?) :-(

btw: 25000 users....
LVL 17

Expert Comment

ID: 7143379
Are they copying from one machine to another? If they are, they will inherit from where they are copying to. Is that what you want?

Author Comment

ID: 7143397
No, the problem only appears when drag&droped or cut&n-pasted  on same volume...
LVL 17

Expert Comment

ID: 7143408
At that point your definately going to have to reset permissions on these directories either manually or using an automated too like xcalc or the vbscript.

Expert Comment

ID: 7322280

Not sure if this is at all helpful, but I am working on a tool that can set NTFS permissions in Batch mode. You feed it the CSV file (exported from your Excel worksheet) with folder/group or user/permission list and it will go through the list and assign specified permissions and create detailed log of everything it did. The tool is still in beta, and if you would like to give it a try, email me at vovkah@yahoo.com and I can set you up with a copy.


Expert Comment

ID: 8384107
Please take care of your open questions older than 30 days.   I am posting in all of them.   Please see:

If you have further questions, feel free to post them in Community Support:

I will return in 72 hours to see if this has been completed.  If it has not, I have an obligation to turn your account over to site administration.

Community Support Moderator @Experts Exchange

Expert Comment

ID: 10069492
Does someone get a solid answer for this question? I don't mind installing some scripts to automate the process of updating ACL when moving files/folders.  But the solution posted by microsoft seems to be a manual process.  I cannot ask my end-users to run the script everytime they move some files/folders.  

It seems to me this is a very common problem appeared in a business network.  Yet, I see so little postings on the web regarding this matter.  Am I correct?

Many thanks to people who participate in this thread.


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Aerodynamic noise is the cause of the majority of the noise produced by helicopters. The inordinate amount of noise helicopters produce is a major problem in the both a military and civilian setting. To remedy this problem the use of an aerogel coat…
Loops Section Overview
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question