Windows ACL During Explorer Copy – How to Manage

access-control-listcopywindows

I need to prevent the acl subtitution during folder copy and I don't know how to do.
I have two repositories, the source and the destination with different acl. Users have to copy (with windows's file explorer) some folders from source to destination but I want that the copied folder inherit the destination acl. Now I see that the acl are copied and maintained from source to destination.

How to let windows explorer copies folder form source to destination using destination acl inheritance instead of original acl? Mind that source and destination are on the same network volume.

Thanks

Edit

I found that if I copy folders using network paths (ex. \\server\share\folder) everything works as I need (the folder inherit the destination acl), the problem is just if I use mapped network volume (ex. z:\share\folder).

Best Answer

The behavior you describe as the desired one is in fact the default with all versions of Windows. Copied files and directories are re-created at the destination inheriting the permissions of the destination folder.

There are mainly two conditions where this might not be the case:

your users are not copying but moving the files and directories within the same file system. In this case, filesystem ACLs are not changed as a "move" operation is simply re-writing the pointers to the destination in the file system and does not do anything to ACLs (which are stored in a different attribute). This behavior can be changed by setting the MoveSecurityAttributes (DWORD) value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer key to 0 on all your client machines. Note that for MoveSecurityAttributes to work on newer versions of Windows (on from Vista / Server 2008) you need to install a hotfix as described in MS KB 2617058: "MoveSecurityAttributes" registry subkey does not work in Windows 7, in Windows Vista, in Windows Server 2008 or in Windows Server 2008 R2.
you have changed your Windows users' Explorer default behavior to copy permissions with the file by setting ForceCopyAclwithFile in the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer key to 1.

Related Solutions

Windows – Useful Command-line Commands on Windows

A little known one is

getmac

It shows the MAC address(es) of your network adapter(s).

Screenshot of running getmac from a Windows commandline window.

How to Workaround NTFS Move/Copy Design Flaw

My approach is to not use file/directory level file permissions; use file share level permissions, and set the whole server filesystem data drive to Everyone Full Control (which becomes moot).

Over the years (10+), I have found that NTFS permissions are more complex and leads to more errors. If the permissions are set wrong, or the inheritance gets broken, you expose data and its hard to find and see it. Plus, you are exposed to the move/copy problem as you say.

Places where you have to use directory/file level ACL's; I know of no other solution than health checking the thing on a regular basis.

Best Answer

Related Solutions

Windows – Useful Command-line Commands on Windows

How to Workaround NTFS Move/Copy Design Flaw

Related Topic