NTFS Permission Inheritance Workaround: Solving Move/Copy Limitations Across Same Volume


1 views

When managing file servers, you've likely encountered this scenario: A folder moved between NTFS directories on the same volume mysteriously retains its original permissions instead of inheriting from the new parent. This behavior differs fundamentally from cross-volume operations where inheritance works as expected.

Consider these PowerShell operations:


# Different behavior examples:
Move-Item -Path "\\server\Managers\ProjectX" -Destination "\\server\Technicians\"  # Keeps Managers ACL
Copy-Item -Path "\\server\Managers\ProjectX" -Destination "\\server\Technicians\"  # Inherits Technicians ACL

Instead of client-side registry hacks, implement these robust approaches:

Option 1: PowerShell ACL Reset Script


function Reset-NTFSPermissions {
    param(
        [string]$Path,
        [bool]$PreserveExplicit = $false
    )
    
    $acl = Get-Acl $Path
    if(-not $PreserveExplicit) {
        $acl.SetAccessRuleProtection($false, $false)
    }
    Set-Acl -Path $Path -AclObject $acl
    
    Get-ChildItem $Path -Recurse | ForEach-Object {
        $acl = Get-Acl $_.FullName
        if(-not $PreserveExplicit) {
            $acl.SetAccessRuleProtection($false, $false)
        }
        Set-Acl -Path $_.FullName -AclObject $acl
    }
}

Option 2: Fileserver FSRM Integration

Configure File Server Resource Manager to trigger permission normalization:


# Sample FSRM action definition
$action = New-FsrmAction -Type Command -Command "C:\Scripts\PermissionFixer.exe" 
$condition = New-FsrmFmjCondition -Property "RelativePath" -Condition Equal -Value "\\Corporate\Departments\*"
New-FsrmFileManagementJob -Name "ACL Normalizer" -Namespace "\\fs01\Shares" -Condition $condition -Action $action

Structural changes that mitigate the issue:

  • Implement separate volumes for functionally independent data sets
  • Use DFS namespaces to abstract physical paths
  • Deploy ABE (Access Based Enumeration) to reduce visibility issues

Here's how we automated permission normalization after folder migrations:


# Scheduled task that monitors move operations
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "\\corpfs\Departments"
$watcher.Filter = "*.*"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true

Register-ObjectEvent $watcher "Renamed" -Action {
    param($source, $event)
    $newPath = $event.FullPath
    Start-Job -ScriptBlock {
        Start-Sleep -Seconds 10 # Allow operation to complete
        Reset-NTFSPermissions -Path $newPath
    }
}

For large environments:

  • Performance impact of recursive ACL operations
  • Security implications of automated permission changes
  • Audit trail requirements for compliance

When dealing with NTFS permissions on Windows servers, there's a critical behavioral difference between move and copy operations that every system administrator needs to understand:

// Theoretical representation of NTFS behavior
if (operation == MOVE && source.volume == destination.volume) {
    preserveOriginalPermissions();
} else {
    inheritDestinationPermissions();
}

Consider this real-world scenario in a software development shop:

Projects/
├── Alpha/ (DevTeam: RW, QA: R)
└── Beta/  (DevTeam: RW, Managers: RW)

// After moving Alpha to Beta without permission reset:
Beta/
└── Alpha/ (Still has original DevTeam+QA permissions)

Suddenly QA team members can access what should be manager-restricted content because permissions didn't properly inherit.

Here are three technical approaches to solve this:

1. PowerShell Automation

# Force permission inheritance after move
function Repair-NtfsInheritance {
    param([string]$path)
    
    $acl = Get-Acl $path
    $acl.SetAccessRuleProtection($false, $true)
    Set-Acl -Path $path -AclObject $acl
    Get-ChildItem $path -Recurse | ForEach-Object {
        $_.GetAccessControl().SetAccessRuleProtection($false, $true)
    }
}

# Usage example:
Repair-NtfsInheritance -path "D:\Projects\Beta\Alpha"

2. C# Windows Service Solution

using System.IO;
using System.Security.AccessControl;

public class PermissionWatcher
{
    public static void FixInheritance(string directoryPath)
    {
        var dirInfo = new DirectoryInfo(directoryPath);
        var dirSec = dirInfo.GetAccessControl();
        
        dirSec.SetAccessRuleProtection(false, true);
        dirInfo.SetAccessControl(dirSec);
        
        foreach (var child in dirInfo.GetDirectories("*", SearchOption.AllDirectories))
        {
            var childSec = child.GetAccessControl();
            childSec.SetAccessRuleProtection(false, true);
            child.SetAccessControl(childSec);
        }
    }
}

3. Robocopy Workaround

For one-time operations, you can use robocopy which performs copy+delete rather than true move:

robocopy C:\source\folder D:\dest\folder /E /COPYALL /MOVE
  • Filescreen Filter: Block moves between certain folders using FSRM
  • Group Policy: Redirect folder moves to a script that handles permissions properly
  • Education: Train users to use copy+delete instead of move for permission-sensitive data

For large organizations, consider implementing:

1. File Server Resource Manager (FSRM) rules
2. Custom move handler service
3. Regular permission audit scripts
4. Automated alerting on permission anomalies