How permissions are handled when you copy and move files and folders

When you copy a file from folder A to folder B the file will inherit the permissions of folder B, as expected.

But when you move (cut and paste) a file from folder A to folder B, it will not inherit the permissions of folder B. Instead it will keep the permissions it had in folder A.

An example helps explain: Suppose you have a folder that only senior management have permission to access, called “Management Files”. You have a file there that you want all staff to have access to, so you move it into the “All Staff” folder by using cut and paste. A staff member tries to access the file but is denied access, even though they have access to the “All Staff” folder!

Note: This only affects Windows 2000, XP and Server 2003. It have been fixed in Vista, Windows 7 and Server 2008.

How to Stop it from Happening

This is documented in Microsoft KB article 310316.

You can modify how Windows Explorer handles permissions when objects are moved in the same NTFS volume. As mentioned, when an object is moved within the same volume, the object preserves its permissions by default. However, if you want to modify this behavior so that the object inherits the permissions from the parent folder, modify the registry as follows

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer create a DWORD called MoveSecurityAttributes and set it to 0.

How to Clean Up After the Fact

You can use the following script to reset permission inheritance of your files, but still preserve the permission structure of your folders.

The following script takes ownership of the given folder and all files/folders beneath it. It then prints a list of files into %temp%\filenames.tmp. This list does not include any folders, only files. It then goes through the list and uses icacls to reset the permission inheritance on each of these files.

Save the script as C:\Windows\system32\fixpermissions.bat

Usage: fixInheritedPermissions.bat <folder>

@echo off
takeown /A /R /D Y /F %1
cd %1
dir /B /S /A-D > %temp%\filenames.tmp
for /f "delims=" %%a in (%temp%\filenames.tmp) do icacls "%%a" /reset
