Yesterday, a client called me complaining that, after installing Vista SP2, she couldnâ€™t access a folder on a file share. She could access that same folder from her XP workstation, logged in with the same account.
I paid a service call (across the parking lot; any excuse to get up and walk outside 🙂 ), and after some poking around confirmed her claim. We did determine that she might not have attempted to access that folder from her new Vista system before.
So I started digging deeper. The folder granted her (via a group) the â€œList Folder/Read dataâ€ permission. So I created a test folder and granted an analogous group this specific permission to the folder. This is displayed in the output of icacls thas â€œ(S,RD)â€.
This permission alone allows Windows XP workstations to browse the folder, but Windows Vista or later give an â€œAccess in deniedâ€ error.
When creating a â€œbrowseâ€ permission for a single folder, I start by granting the â€œList Folder Contentsâ€ standard permission, which assigns the following permissions to the folder and subfolders (not to files):
- Traverse folder/execute file
- List folder/read data
- Read attributes
- Read extended attributes
- Read permissions
With icacls, this permission looks like this:
The (CI) indicates â€œContainer inherit,â€ which means that permission (ACE) will be inherited by subfolders. Now I open the advenced security dialog, and edit the ACE to change the â€œApply toâ€ control to â€œThis folder only.â€ Now the browse permission applies only to the particular folder. In icacls, it looks like this:
I changed the permissions on the clientâ€™s folder, and her access was restored.