We help IT Professionals succeed at work.

Window 7 clients - how to control Cut & Paste permissions inheritance behavior

On most of the windows 7 clients on our domain, when a user cuts a file from a low security folder and pastes it into a higher security folder on the same share the file inherits the the higher security permissions from its new parent folder.
However, one of our users has recently discovered that behavior changed on his computer so that the pasted files are now retaining their lower security permissions from their previous parent instead of inheriting the new ones.
My question is where is this behavior controlled on a windows 7 pro machine?
I see that you could alter the behavior of permissions inheritance on XP via a registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer create a DWORD called MoveSecurityAttributes
but that doesn't seem to work on windows 7.
Comment
Watch Question

Top Expert 2012

Commented:
That's rather strange.

The bottom line is this:  if you move a file within the same partition, it retains the NTFS permissions of the original location.  In any other copy or move scenario, it will inherit the permissions of the destination.
Top Expert 2012
Commented:
To elaborate a bit further, I have encountered similar situations to the one you describe.  If your end-users are concerned about their files & folders inheriting the permissions of the destination when they move (a.k.a. cut/paste) them, I found that the easiest solution was to have them open two Windows Explorer windows, copy them to the destination, and then delete the original version.

Just something to consider.
Distinguished Expert 2019

Commented:
The issue depends on whether the files that are being moved around are configured to inherit the setting from the parent, or whether they were separated from the parent with the setting at the time copied.
security tab\advanced

cacls directory/file and see what the settings for the directory/files are inherited from parent.

You could use cacls to reset the permissions, but you may want to first determine why they were changed in the first place to make sure that there was a reason why the change was made.

Author

Commented:
Yes, the files inheritance setting is enabled and if the user 'copies' rather than 'moves' the file it inherits from the new parent folder as expected and desired.
That is our current workaround.
What I hope to learn is why the behavior changed , why it is not consistent on other machines, and how it can be altered.
The exact same file being 'moved' by the same user logged onto another pc, and even by a different user on that same pc, treats the move as a 'copy' at the new location and the file inherits the new parent folder permissions.
So it seems to be something in that user's profile on that machine, but I don't know what or how to change it back.
Distinguished Expert 2019
Commented:
Check the settings of the files being moved as they relate to the user.

Check user GPO setting to see whether that is somehow different/restricts what the user can do.
I have partially resolved this and will go ahead and close.
I'm giving points to Run5K for providing a workaround with the 'copy' instead of 'move' since i didn't mention we were already doing that.
And Points to Arnold for recommending checking GPO which kind of got me where I wanted to be...
Not GPO specifically, but group membership differences.
Also I had bad info in my second comment (lost track of who was logged in on which client when testing)

Here's what I've found:

When a Windows 7 user (on a domain) is transferring a file from one folder to another on the same share (hosted on a windows 2008 server) with both source and destinations folders having 'inherit permissions' checked, a determining factor in whether the file does in fact inherit the destination folders permission settings is whether or not the user is a member of the localhost's Administrator's group.
If the user is not assigned to the localhost's administrators group directly or via other group membership then 'COPY' inherits destination permissions and 'MOVE' keeps source folder permissions.
However, If the user IS assigned to the localhost's administrators group then 'COPY' and 'MOVE' both inherit the destination folder permissions.

(BTW- This appears to be just a windows 7 issue. XP logins did NOT behave the same way. 'MOVE' DID NOT and 'COPY' DID inherit destination folder settings regardless of membership in localhost\admins group)

Author

Commented:
I don't feel like the answer is complete.
I know how to adjust the behavior now, but I don't know if this is the best or only way. providing membership to the local administrator's group doesn't seem like a very smart way to modify the behavior. It seems like there would be (and there probably is?) some way to make 'MOVE' behave as 'COPY' for Windows 7 domain users via some GPO setting.