Yesterday, a client called me complaining that, after installing Vista SP2, she couldn’t access a folder on a file share. She could access that same folder from her XP workstation, logged in with the same account.
I paid a service call (across the parking lot; any excuse to get up and walk outside 🙂 ), and after some poking around confirmed her claim. We did determine that she might not have attempted to access that folder from her new Vista system before.
So I started digging deeper. The folder granted her (via a group) the “List Folder/Read data†permission. So I created a test folder and granted an analogous group this specific permission to the folder. This is displayed in the output of icacls thas “(S,RD)â€.
C:\>icacls s:\cit\ZTest
s:\cit\ZTest CAMPUS\ETS-FileServices-Browse:(S,RD)
BUILTIN\Administrators:(OI)(CI)(F)
This permission alone allows Windows XP workstations to browse the folder, but Windows Vista or later give an “Access in denied†error.
When creating a “browse†permission for a single folder, I start by granting the “List Folder Contents†standard permission, which assigns the following permissions to the folder and subfolders (not to files):
- Traverse folder/execute file
- List folder/read data
- Read attributes
- Read extended attributes
- Read permissions
With icacls, this permission looks like this:
C:\>icacls s:\cit\ZTest
s:\cit\ZTest BUILTIN\Administrators:(OI)(CI)(F)
CAMPUS\ETS-FileServices-Browse:(CI)(RX)
The (CI) indicates “Container inherit,†which means that permission (ACE) will be inherited by subfolders. Now I open the advenced security dialog, and edit the ACE to change the “Apply to†control to “This folder only.†Now the browse permission applies only to the particular folder. In icacls, it looks like this:
C:\>icacls s:\cit\ZTest
s:\cit\ZTest BUILTIN\Administrators:(OI)(CI)(F)
CAMPUS\ETS-FileServices-Browse:(RX)
I changed the permissions on the client’s folder, and her access was restored.
See also:
