The MoveSecurityAttributes policy affects only how Explorer recalculates ACLs when a file is moved; everybody else is on their own
A customer reported that even though they were deploying
MoveSecurityAttributes policy to all their machines, it wasn’t working everywhere. “It works fine with the GUI but does not work (i.e., has no effect) when using the Move command at the command prompt.”
MoveSecurityAttributes policy applies to Explorer’s file copy engine, the thing that kicks in when you call
SHFileOperation or use the
The command prompt doesn’t use either of those functions. It just calls the
MoveFileEx function directly. And that function doesn’t respect UI policy because it’s not a UI function.
The KB article does say this when it finishes talking about the default behavior and starts talking about the policy:
You can modify how Windows Explorer handles permissions when objects are copied or moved…
The article points out that the technique applies only to Windows Explorer. Mind you, it’s not underlined or anything, so somebody in a hurry is like to miss out on that detail.
So here’s a blog entry to make it more clear.