Preserving file rights when copying a folder on Windows Server

file-permissionswindows-server-2012

We have a shared network drive running Windows Server at work.

One of the folders contains sensitive information that should only be visible to a small group of people.

The problem is that if one of those people copy and paste a folder that has read permissions for everyone into the sensitive folder, anyone will be able to access that folder if they go directly to the full path.

If there any way to set up the file server to make 100% sure that all files and folders created or copied anywhere in the tree under x:\sensitive will have the same restricted rights as x:\sensitive?

Best Answer

Please see the file system options documented in this Microsoft Support article: How permissions are handled when you copy and move files and folders

The following setting will alter the default behavior and will preserve the ACL during a copy operation.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
DWORD ForceCopyAclwithFile 1

Note that this must be configured on the client end, so you may use Group Policy Preferences, or something similar, to push it out.

Also related on Serverfault:

Related Solutions

Windows – Migrate folder user permissions in a windows file server migration

The XCOPY command will copy permissions when the "/O" or "/X" switches are set. You can accomplish most simple file/folder/permission migrations just by doing:

XCOPY "source" "destination" /E /X /C /H /K

If you have deep folder hierarchies with long paths you'll need a "heavier duty" tool.

SBS 2008 Folder Share permissions mess

While you are asking for a script, I think that using the GUI to just recursively reset all filesystem permissions on a directory would be a much simpler approach if you just have a handful of directories to reset. The basic outline (stolen from a MSDN blog):

Launch an instance of Windows Explorer

Navigate to the parent of the folder that you want to reset permissions for

Right-click on the folder and choose Sharing and Security...

Click on the Security tab

Click the Advanced button

Set the permissions you want - typically you will want to allow Administrators, System, 7. and Creator Owner to have full control

Check the box labeled Replace permission entries on all child objects with entries shown here that apply to child objects

Click OK

Click Yes in the dialog box that appears asking if you are sure

Wait while Windows recursively applies the specified permissions to all sub-folders and files

The crucial part is obviously the checkbox to replace permission entries on all child objects:

advanced permissions dialog

Also, the idea of having folder permissions narrow down from more restrictive to less restrictive is always an excellent one from the system management standpoint - it is much easier to document and manage this way. However, your observation that

they will never gain appropriate access to the folder inside due to the resultant rule of most restrictive permissions being that they have no rights to parent folder

is inaccurate. Windows does not care about the parent directories when checking access controls. If your users would not click through \server -> \accounting -> document approval in Windows Explorer but simply type (or use a link opening) \\server\accounting\document approval you would see it magically open even when the permissions only allow access for the subdirectory. So don't let it give you a false sense of security, should you ever create such a setup deliberately.

Best Answer

Related Solutions

Windows – Migrate folder user permissions in a windows file server migration

SBS 2008 Folder Share permissions mess

Related Topic