Microsoft KB Archive/832234

= You cannot apply permissions to the root directory of an NTFS file system volume in Windows Server 2003 =

Article ID: 832234

Article Last Modified on 7/24/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition

-





SYMPTOMS
On a Microsoft Windows Server 2003-based computer, when you use Microsoft Windows Explorer or the Cacls.exe utility, you cannot assign NTFS file system permissions to the root directory of an NTFS volume if the volume is mounted by using a mount point, or no drive letter. Instead, if you apply permissions to the mount point folder, the permissions are applied to the folder itself, but the permissions are not applied to the underlying root directory of the mounted volume. When you apply the permissions, you do not receive a message that warns you about this issue.

If you use the procedure that is documented in the following Microsoft Knowledge Base article to address this issue, the suggested resolution may not work on an active volume because you may not be able to un-assign the temporary drive letter if the volume is in use. If you have several mounted volumes, you may run out of drive letters and may not be able to apply new permissions until after you restart your computer:

237701 Cacls.exe cannot apply security to root of a volume mount point



CAUSE
In its current implementation, the Cacls.exe utility cannot use the volume GUID to set permissions on the root of a mounted NTFS volume.



Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
No prerequisites are required.

Restart requirement
You do not have to restart your computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003
 Date         Time   Version       Size    File name - 12-Dec-2003  18:28  5.2.3790.110  20,480  Cacls.exe 12-Dec-2003 02:40  5.2.3790.112  37,888  Ws03res.dll

Windows Server 2003, 64-Bit
 Date         Time   Version       Size    File name     Platform 09-Dec-2003 22:44  5.2.3790.110  49,152  Cacls.exe     IA-64 12-Dec-2003 00:40  5.2.3790.112  37,376  Ws03res.dll   IA-64 12-Dec-2003 16:28  5.2.3790.110  20,480  Wcacls.exe    x86 12-Dec-2003 00:40  5.2.3790.112  37,888  Wws03res.dll  x86



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
After you apply the hotfix that is described in this article, you can use the Cacls.exe utility to add or to remove NTFS permissions to NTFS volumes that have a volume mount point as their only path. This hotfix adds a new command-line switch (cacls /m) that provides Cacls.exe with the functionality to apply permissions to a mount point folder and to apply permissions to the underlying root of the mounted volume.

Description of updated Cacls.exe usage and command-line switches
CACLS FileName [/T] [/M] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]

FileName     Displays ACLs. /T           Changes ACLs of specified files in                 the current directory and in all subdirectories. /M           Changes ACLs of volumes mounted to a directory /E           Edit ACL instead of replacing it. /C           Continue on access denied errors. /G user:perm Grant specified user access rights. Perm can be: R Read W Write C Change (write) F Full control /R user      Revoke access rights of a specified user (only valid with /E). /P user:perm Replace access rights of a specified user. Perm can be: N None R Read W Write C Change (write) F Full control /D user      Deny specified user access.

Wildcard characters can be used to specify more than one file in a command. You can specify more than one user in a command.

Abbreviations: CI - Container Inherit. The ACE will be inherited by folders. OI - Object Inherit. The ACE will be inherited by files. IO - Inherit Only. The ACE does not apply to the current file or folder.

With additional enhancements to the Cacls.exe utility, you can specify a volume GUID as the target instead of specifying the drive letter as the target. For example, instead of using the drive letter, type the following command at the command prompt:

C:\cacls \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\

Note In this example, {26a21bda-a627-11d7-9931-806e6f6e6963} is an example of a volume GUID.

Note To list the attached volumes (in the format Volume{GUID}) on your computer, you can use the Mountvol.exe utility. To use this utility, type mountvol at a command prompt, and then press ENTER.

Additional Examples
To modify permissions to add  to the root of the volume and to all subfolders on the volume by using the volume GUID, type the following:

C:\cacls \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ /T /E /G :F

To view permissions on the root of a mounted volume by using the volume GUID, type the following:

C:\cacls \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\

To view permissions on the root of a mounted volume by using the mountpoint name, type the following:

C:\cacls F:\mounted_volume /M

To modify permissions on the root of a mounted volume so that  has permission to read, type the following:

C:\cacls F:\mounted_volume /M /E /P :R

To modify permissions on the root of a mounted volume to change permissions for  to Full Control, type the following:

C:\cacls F:\mounted_volume /M /E /G :F

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional query words: Cacls

Keywords: kbhotfixserver kbbug kbfix kbqfe kbwinserv2003presp1fix KB832234

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.