Direct ACL

[Guest Enthus]

Hello there,

I have created the below listed folder structure:

D:\Data\CRM

CRM folder does not inherit permissions from data and has system direct ACL

(with full access). Where as files in CRM folder have been set to inherit

permissions from CRM. But for some reason, all files under CRM have "system"

direct acl instead of inherited ACL. How can I set permissions on CRM folder

so that every file that gets copied, created or moved to it, inherits

permissions from CRM folder rather than direct ACL?

[Guest Roger Abell [MVP]]

"Enthus" <Enthus@discussions.microsoft.com> wrote in message

news:0DAE0199-6CE3-44BC-B953-CA68FB7C6B33@microsoft.com...<span style="color:blue">

> Hello there,

> I have created the below listed folder structure:

> D:DataCRM

> CRM folder does not inherit permissions from data and has system direct

> ACL

> (with full access). Where as files in CRM folder have been set to inherit

> permissions from CRM. But for some reason, all files under CRM have

> "system"

> direct acl instead of inherited ACL. How can I set permissions on CRM

> folder

> so that every file that gets copied, created or moved to it, inherits

> permissions from CRM folder rather than direct ACL?</span>

 

A move within one partition will keep the part of its ACL that

is directly (not inherited) set on the moved. All other ways of

getting content copied or moved into a folder will result in the

moved having ACL only as defined for it by the container into

which it is moved. For the intrapartition move that keeps the

explict part of the moved's ACL, the moved will (eventually)

receive the inheritables defined on the moved into folder.

 

So, either something set the ACL on thoses files after they

got there, or they had that as direct ACL before the move and

they have not yet inherited from the CRM folder.

 

If you want to guarantee content of CRM is ACLed only via

inheritance from CRM, you would need to somehow guarantee

that intrapartition move into CRM is not possible, you would

need to use the Advanced view in the NTFS permissions dialog

to reset the ACLs of what is already in CRM, you would need

to guarantee that nothing running with grants allowing it to

change permissions uses that and changes permissions of

anything in CRM, and finally, you would need to make sure

that any account that can create something in CRM can only

access CRM via a network share that limits them to Change

permissions at most.

 

That sounds like a pretty heavy-duty list, but it is not that hard

to do if you really do want the guarantee, and it is a complete

list valid for all older Windows versions using NTFS.

 

Roger