We stumbled across some strange acl problems when we move files at our fileserver (2008R2).

The first time we saw this problem, we thought it is a server problem, because moving files from one fileshare to another fileshare on the same server lead to inconsistent file acls on the moved files. All ACLs were inherited from the root folder, so moving a file from one share to another should inherit the ACLs as well. But that wasn’t the case.
After a bit of research we found some entries and a hotfix from microsoft, that addresses this issue. It can be found via google by searching for MoveSecurityAttributes.
For Windows XP you can set a registry key to solve this problem. To solve it with Windows 7 you have to download a hotfix and apply the registry key to your client to handle the ACLs by moving files corretly.
Everything worked perfect until another inconsistent ACL problem email hit our ticketsystem.
We investigated again and checked everything. Moving files from one share to another on the same server doesn’t occur. But this case doesn’t have anything to do with moving files from one share to another. It occurs when we move a file from inside of a share to another subfolder with different permissions..

Let me explain that.

Example 1 (solved by MoveSecurityAttributes)

Location: \\ad\share1\file1.txt
Folder-ACL: rol-grp-share1-RW

Moved to

Location: \\ad\share2\file1.txt
Folder-ACL: rol-grp-share2-RW

File permissions of file1.txt: rol-grp-share2-RW (correct)

Example 2 (not solved by MoveSecurityAttributes)

Location: \\ad\share1\subfolder1\file1.txt
Folder-ACL: rol-grp-share1-subfolder1-RW

Moved to

Location: \\ad\share1\subfolder2\file1.txt
Folder-ACL: rol-grp-share1-subfolder2-RW

File permissions of file1.txt after moving: rol-grp-share1-subfolder1-RW (incorrect)

As you can see, moving files across shares does inherit the ACL from above, but moving files inside a share from one folder to another with different ACLs doesn’t inherit the ACL.

This is one of our next call we will report to Microsoft