The MoveSecurityAttributes policy affects only how Explorer recalculates ACLs when a file is moved; everybody else is on their own

A customer reported that even though they were deploying Move­Security­Attributes policy to all their machines, it wasn’t working everywhere. “It works fine with the GUI but does not work (i.e., has no effect) when using the Move command at the command prompt.”

That’s right.

The Move­Security­Attributes policy applies to Explorer’s file copy engine, the thing that kicks in when you call SHFile­Operation or use the IFile­Operation interface.

The command prompt doesn’t use either of those functions. It just calls the Move­File­Ex function directly. And that function doesn’t respect UI policy because it’s not a UI function.

The KB article does say this when it finishes talking about the default behavior and starts talking about the policy:

By default…

You can modify how Windows Explorer handles permissions when objects are copied or moved…

(Emphasis mine.)

The article points out that the technique applies only to Windows Explorer. Mind you, it’s not underlined or anything, so somebody in a hurry is like to miss out on that detail.

So here’s a blog entry to make it more clear.