This thread on technet says SYSTEM needs full control. Not a very official source however, and further testing proves that it is wrong.
DFS Replication Service
I took a look at the DFS services on my Server 2008R2 machine with Process Explorer. dfsrs.exe, the Distributed File System Replication service, runs as "NT Authority\SYSTEM". However, it has SeBackupPrivilege and SeRestorePrivilege:
From Microsoft Privilege Constants:
SeBackupPrivilege - Required to perform backup operations. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.3
SeRestorePrivilege - Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file.
With those permissions, the DFS Replication Service can ignore any file permissions - it is given permission to read, write, and set permissions on any file it pleases.
Testing
I created a folder in one of my DFS shares with a few files in it, set my account as the owner, and removed all permissions except for my account.
DFS replicated it to all the other servers without issue, and all the replicas had the same permissions.
Thus DFS is not dependant on any file system permissions to replicate.
I suspect in your case simply making any changes to the files would have caused DFS to wake up and see that they needed replicating. No idea what would have caused that situation in the first place though.
You want Traverse Folder
and List Folder
like you've listed and you want to set the drop down at the top to This folder only
. Then you need to set whatever other permissions you want that user to have on the explicit subfolder that they should have access to.
If you can't get into the root folder with what you've posted, it's likely because of the folder's share permissions and not the NTFS permissions - double check those.
Best Answer
You might want to try AccessEnum