A customer wanted to move a file and have it forget all its old ACLs and instead inherit its ACLs from its new location. They found an old article of mine that said
If you useSHFileOperation
to move a file and pass theFOF_
flag, then it will not preserve the original ACLs on the moved files but will rather recalculate them from the destination's inheritable properties. (If you want to do the same thing in your own code, you can call theNOCOPYSECURITYATTRIBUTES SetNamedSecurityInfo
function, specifying that you want an empty, unprotected DACL.)
They were having trouble implementing the recommendation in parentheses.
We set the file to have an SDDL of D:S:
in order
to give it an empty DACL and SACL,
but instead of inheriting its ACL from the container,
that gave nobody any permissions at all!
How do I get this to work?
The customer was halfway there.
D:S:
is an empty DACL.
Now they need to
make it unprotected.
UNPROTECTED_ | The DACL inherits ACEs from the parent object. |
The customer confirmed that
passing that flag to
SetNamedSecurityInfo
did the trick.