How do I manually recalculate ACLs on a file based on the containing directory?
A customer wanted to move a file and have it forget all its old ACLs and instead inherit its ACLs from its new location. They found an old article of mine that said
If you use
SHFileOperationto move a file and pass the
FOF_NOCOPYSECURITYATTRIBUTESflag, then it will not preserve the original ACLs on the moved files but will rather recalculate them from the destination’s inheritable properties. (If you want to do the same thing in your own code, you can call the
SetNamedSecurityInfofunction, specifying that you want an empty, unprotected DACL.)
They were having trouble implementing the recommendation in parentheses.
We set the file to have an SDDL of
D:S:in order to give it an empty DACL and SACL, but instead of inheriting its ACL from the container, that gave nobody any permissions at all! How do I get this to work?
The customer was halfway there.
D:S: is an empty DACL. Now they need to make it unprotected.
|UNPROTECTED_DACL_SECURITY_INFORMATION||The DACL inherits ACEs from the parent object.|
The customer confirmed that passing that flag to
SetNamedSecurityInfo did the trick.