Direct ACL

[Enthus]

Hello there,
I have created the below listed folder structure:
D:\Data\CRM
CRM folder does not inherit permissions from data and has system direct ACL
(with full access). Where as files in CRM folder have been set to inherit
permissions from CRM. But for some reason, all files under CRM have "system"
direct acl instead of inherited ACL. How can I set permissions on CRM folder
so that every file that gets copied, created or moved to it, inherits
permissions from CRM folder rather than direct ACL?

 

[Roger Abell [MVP]]

"Enthus" <Enthus@discussions.microsoft.com> wrote in message
news:0DAE0199-6CE3-44BC-B953-CA68FB7C6B33@microsoft.com...
> Hello there,
> I have created the below listed folder structure:
> D:\Data\CRM
> CRM folder does not inherit permissions from data and has system direct
> ACL
> (with full access). Where as files in CRM folder have been set to inherit
> permissions from CRM. But for some reason, all files under CRM have
> "system"
> direct acl instead of inherited ACL. How can I set permissions on CRM
> folder
> so that every file that gets copied, created or moved to it, inherits
> permissions from CRM folder rather than direct ACL?

A move within one partition will keep the part of its ACL that
is directly (not inherited) set on the moved. All other ways of
getting content copied or moved into a folder will result in the
moved having ACL only as defined for it by the container into
which it is moved. For the intrapartition move that keeps the
explict part of the moved's ACL, the moved will (eventually)
receive the inheritables defined on the moved into folder.

So, either something set the ACL on thoses files after they
got there, or they had that as direct ACL before the move and
they have not yet inherited from the CRM folder.

If you want to guarantee content of CRM is ACLed only via
inheritance from CRM, you would need to somehow guarantee
that intrapartition move into CRM is not possible, you would
need to use the Advanced view in the NTFS permissions dialog
to reset the ACLs of what is already in CRM, you would need
to guarantee that nothing running with grants allowing it to
change permissions uses that and changes permissions of
anything in CRM, and finally, you would need to make sure
that any account that can create something in CRM can only
access CRM via a network share that limits them to Change
permissions at most.

That sounds like a pretty heavy-duty list, but it is not that hard
to do if you really do want the guarantee, and it is a complete
list valid for all older Windows versions using NTFS.

Roger