Windows 2008R2 Move Files Behavior -- Is there a MoveSecurityAttributes solution?
Hello, I am researching a solution for when users move a file or folder from one location to another on a volume. What is happening is that Windows is preserving the original permissions of the file as it is supposed to do for a move -- even if the file is dropped under another folder where permissions "should" flow down. For Windows 2003, there was a fix that had to be implemented on each user's workstation to modify the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer to add DWORD of MoveSecurityAttributes set to 0 This does not affect behavior for Windows 2008R2 shares. Is there a workaround other than educating users to copy and then delete the old file? Thanks!
June 25th, 2010 9:08pm

Hello tinaschifano, Please see this thread: http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/1d5c2e14-519b-4bf6-946f-edf89c02c271#26efebbf-de9e-44c0-bd1f-42a94bda0227 Best regards, HarryThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2010 9:22pm

Thanks Harry. I had already found that article, applied the setting to my workstation where I was logged on as an admin, and the fix worked. Then, I created a GPO and pushed out the setting to my test user, but permissions did not change when I moved the file. I guess I got so excited that I failed to notice that the user has to have the special permission of "change permissions" which a user with Modify rights does not have. See below -- an extract from the TID: You can modify how Windows Explorer handles permissions when objects are moved in the same NTFS volume. As mentioned, when an object is moved within the same volume, the object preserves its permissions by default. However, if you want to modify this behavior so that the object inherits the permissions from the parent folder, modify the registry as follows: Click Start, click Run, type regedit, and then press ENTER. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer On the Edit menu, click Add Value, and then add the following registry value: Value name: MoveSecurityAttributes Data type: DWORD Value data: 0 Exit Registry Editor. Make sure that the user account that is used to move the object has the Change Permissions permission set. If the permission is not set, grant the Change Permissions permission to the user account. So, I am disappointed at this point. I wish that rights could just flow down, even if a file is moved to a different folder with rights set to flow down. Thanks! Tina
June 26th, 2010 1:45am

Hi, On July 1st we will be making Windows Server 2008 R2 General forum read only. After receiving a lot of feedback from the community, it was decided that this forum is a duplication and therefore redundant of the General Forum. So, until July 1st, we will start asking customers to redirect their questions to the General Forum. On June 11th, CSS engineers will move any new threads to the General Forum. Please post a reply to the announcement thread if you have any feedback on this decision or the process. You can also email WSSDComm@microsoft.com. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2010 1:23pm

Hi, Could you explain what’s the meaning of "flow down"? The more clear the better. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 29th, 2010 1:25pm

Hi Tina, I test on Windows Serve 2008 R2 system and result is the moved file/folder get inherited permissions from parent folder. Could you let us know more about your client and detailed test steps so that we can try to reproduce your problem? How did you configure the GPO? How did you test on client? If the client is Windows XP or Windows Server 2003, you may try the following fix: When you try to move files from one network drive to another network drive, the files keep permissions from the source folders on a client computer that is running Windows XP or Windows Server 2003 http://support.microsoft.com/kb/945272 Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 5:33am

The workstations are Windows XP. I had already tried to download that patch, and I am not able to apply it because we are patched more current. The test scenario is that a user has Modify or Change rights to the files, but they do not have rights to modify permissions. They are logged into their Windows XP workstation, and they move files from one location to another location, and the rights from the parent folder of the new location do not flow down. Just to level set here, the user sees the shares as G:\Share1 and G:\Share2. When they move the subfolder from G:\Share1 to G:\Share2, the original rights are retained. Microsoft does have a TID I referenced earlier that states the user needs the "change permissions" rights which we do not want to grant. Thanks!
July 6th, 2010 11:45pm

Hi, how are you moving the files ? through robocopy ?
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2010 11:07am

Anyone have an update on this? This is a major roadblock for us migrating to Windows 7. Without the MoveSecurityAttributes registry key, users are able to move folders/files from one folder to another and cause security breaches since the original permissions are kept which can include users/groups that should not have access in the new destination.. This registr key allowed us to make sure that no mather what operations a end-user did on the files, that the security was properly applied in accordance to the destination folder. This was actually "built-in" in Vista and was removed for Windows 7 Anyone working on a solution or have other options that a END USER can use? (not a robocopy, or other tool solution) Thanks Martin Lafontaine
October 26th, 2010 4:46pm

Hi, Is there any solution for this problem without granting "Change Permissions" for END USER? Thanks
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2011 3:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics