How do I manually recalculate ACLs on a file based on the containing directory?

Raymond Chen

A customer wanted to move a file and have it forget all its old ACLs and instead inherit its ACLs from its new location. They found an old article of mine that said

If you use SH­File­Operation to move a file and pass the FOF_NO­COPY­SECURITY­ATTRIBUTES flag, then it will not preserve the original ACLs on the moved files but will rather recalculate them from the destination’s inheritable properties. (If you want to do the same thing in your own code, you can call the Set­Named­Security­Info function, specifying that you want an empty, unprotected DACL.)

They were having trouble implementing the recommendation in parentheses.

We set the file to have an SDDL of D:S: in order to give it an empty DACL and SACL, but instead of inheriting its ACL from the container, that gave nobody any permissions at all! How do I get this to work?

The customer was halfway there. D:S: is an empty DACL. Now they need to make it unprotected.

UNPROTECTED_DACL_SECURITY_INFORMATION The DACL inherits ACEs from the parent object.

The customer confirmed that passing that flag to Set­Named­Security­Info did the trick.


Discussion is closed.

Feedback usabilla icon