There are several ways to solve this problem. One is to ensure that, whenever a file is moved into a new folder with different permissions in the same namespace, the ACL propagator is triggered. Use the following steps to do this:

1. Move the object.

2. Open the Advanced Security Settings dialog box for the object.

3. Clear the Include Inheritable Permissions check box (Windows Server 2008 or Windows Vista) or the Inherit From Parent check box (Windows Server 2003 or Windows XP), and click Apply.

If you are using a Windows Vista or Windows Server 2008 system with User Account Control enabled, you need to click the Edit button before you are able to clear the check box.

4. When you are prompted to Copy or Remove inherited permissions, choose Remove.

5. Re-select the same check box, and click Apply. This triggers the ACL propagator to apply inheritable permissions from the parent folder to the object. That’s a lot of steps, isn’t it?

Another option is to copy rather than move the object. When you copy an object, you create a new instance of the object, which immediately triggers the ACL propagator. You then simply delete the original item.

The only potential pitfall with this method is that you might have explicit permissions assigned to the original object that you will need to maintain when you move the object. Therefore, rather than use copy and paste, use a command that can copy the object including its security descriptor. You can use xcopy.exe with the /x switch to copy a file with its security descriptor intact. On Windows Server 2008, you can also use robocopy.exe with the /copyall switch. By copying the entire security descriptor, you also maintain auditing and ownership information. Then delete the original file.

Any utility that can copy or back up and restore an NTFS object while maintaining its security descriptor will similarly solve this unusual feature of NTFS permissions.