Holy cow, I wrote a book!
A customer wanted to move a file and have it forget all its
old ACLs and instead inherit its ACLs from its new location.
an old article of mine
If you use SHFileOperation to move a file
and pass the
then it will not preserve the original ACLs on the moved files
but will rather recalculate them from the destination's
(If you want to do the same thing in your own code,
you can call the
SetNamedSecurityInfo function, specifying that
you want an empty, unprotected DACL.)
They were having trouble implementing the recommendation in parentheses.
We set the file to have an SDDL of D:S: in order
to give it an empty DACL and SACL,
but instead of inheriting its ACL from the container,
that gave nobody any permissions at all!
How do I get this to work?
The customer was halfway there.
D:S: is an empty DACL.
Now they need to
make it unprotected.
The customer confirmed that
passing that flag to
SetNamedSecurityInfo did the trick.