Article ID: 832234
Article Last Modified on 7/24/2007
APPLIES TO
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise x64 Edition
SYMPTOMS
On a Microsoft Windows Server 2003-based computer, when you use Microsoft Windows Explorer or the Cacls.exe utility, you cannot assign NTFS file system permissions to the root directory of an NTFS volume if the volume is mounted by using a mount point, or no drive letter. Instead, if you apply permissions to the mount point folder, the permissions are applied to the folder itself, but the permissions are not applied to the underlying root directory of the mounted volume. When you apply the permissions, you do not receive a message that warns you about this issue.
If you use the procedure that is documented in the following Microsoft Knowledge Base article to address this issue, the suggested resolution may not work on an active volume because you may not be able to un-assign the temporary drive letter if the volume is in use. If you have several mounted volumes, you may run out of drive letters and may not be able to apply new permissions until after you restart your computer:
237701 Cacls.exe cannot apply security to root of a volume mount point
CAUSE
In its current implementation, the Cacls.exe utility cannot use the volume GUID to set permissions on the root of a mounted NTFS volume.
RESOLUTION
Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.
To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:
Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:
Prerequisites
No prerequisites are required.
Restart requirement
You do not have to restart your computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003
Date Time Version Size File name ----------------------------------------------------- 12-Dec-2003 18:28 5.2.3790.110 20,480 Cacls.exe 12-Dec-2003 02:40 5.2.3790.112 37,888 Ws03res.dll
Windows Server 2003, 64-Bit
Date Time Version Size File name Platform ---------------------------------------------------------------- 09-Dec-2003 22:44 5.2.3790.110 49,152 Cacls.exe IA-64 12-Dec-2003 00:40 5.2.3790.112 37,376 Ws03res.dll IA-64 12-Dec-2003 16:28 5.2.3790.110 20,480 Wcacls.exe x86 12-Dec-2003 00:40 5.2.3790.112 37,888 Wws03res.dll x86
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
After you apply the hotfix that is described in this article, you can use the Cacls.exe utility to add or to remove NTFS permissions to NTFS volumes that have a volume mount point as their only path. This hotfix adds a new command-line switch (cacls /m) that provides Cacls.exe with the functionality to apply permissions to a mount point folder and to apply permissions to the underlying root of the mounted volume.
Description of updated Cacls.exe usage and command-line switches
CACLS FileName [/T] [/M] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]] FileName Displays ACLs. /T Changes ACLs of specified files in the current directory and in all subdirectories. /M Changes ACLs of volumes mounted to a directory /E Edit ACL instead of replacing it. /C Continue on access denied errors. /G user:perm Grant specified user access rights. Perm can be: R Read W Write C Change (write) F Full control /R user Revoke access rights of a specified user (only valid with /E). /P user:perm Replace access rights of a specified user. Perm can be: N None R Read W Write C Change (write) F Full control /D user Deny specified user access. Wildcard characters can be used to specify more than one file in a command. You can specify more than one user in a command. Abbreviations: CI - Container Inherit. The ACE will be inherited by folders. OI - Object Inherit. The ACE will be inherited by files. IO - Inherit Only. The ACE does not apply to the current file or folder.
With additional enhancements to the Cacls.exe utility, you can specify a volume GUID as the target instead of specifying the drive letter as the target. For example, instead of using the drive letter, type the following command at the command prompt:
C:\cacls \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\
Note In this example, {26a21bda-a627-11d7-9931-806e6f6e6963} is an example of a volume GUID.
Note To list the attached volumes (in the format Volume{GUID}) on your computer, you can use the Mountvol.exe utility. To use this utility, type mountvol at a command prompt, and then press ENTER.
Additional Examples
To modify permissions to add User_Name1
to the root of the volume and to all subfolders on the volume by using the volume GUID, type the following:
C:\cacls \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ /T /E /G User_Name1
:F
To view permissions on the root of a mounted volume by using the volume GUID, type the following:
C:\cacls \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\
To view permissions on the root of a mounted volume by using the mountpoint name, type the following:
C:\cacls F:\mounted_volume /M
To modify permissions on the root of a mounted volume so that User_Name1
has permission to read, type the following:
C:\cacls F:\mounted_volume /M /E /P User_Name1
:R
To modify permissions on the root of a mounted volume to change permissions for User_Name2
to Full Control, type the following:
C:\cacls F:\mounted_volume /M /E /G User_Name2
:F
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Additional query words: Cacls
Keywords: kbhotfixserver kbbug kbfix kbqfe kbwinserv2003presp1fix KB832234