File security issues after converting FAT32 partitions to the NTFS file system

View products that this article applies to.

SYMPTOMS

After you run the Convert.exe utility on an installation of Windows XP Professional or on Windows XP Home Edition, the All Users folder and all subfolders (that is, the folders with inheritable permissions) show only the following permissions:

Everyone: by default, all items (including Full Control) are selected.

The subfolders include:

Desktop
Favorites
Shared Documents
Start Menu

Back to the top

CAUSE

Convert.exe is used to convert the file system from FAT32 to the NTFS file system. During the conversion process, Convert.exe uses the Setup Security.inf file in the C:\Windows\Security\Templates folder to apply security settings to the partition. The Setup Security.inf file is created during Windows XP setup. If the OS was installed on a FAT32 partition, the file security settings will differ from an installation on an NTFS partition. This difference causes the problem.

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Note if you purchased your computer from an original equipment manufacturer (OEM), Microsoft has investigated this problem and is working directly with OEMs to provide a solution.

Back to the top

With a manual installation of Windows XP Professional or Windows XP Home Edition, the default permissions of the All Users folder and all the subfolders that have inheritable permissions are as follows:

Administrators: All items (including Full Control) are selected.
Everyone: Read and Execute, List Folder Contents, and Read are selected.
Power Users: All items except Full Control are selected.
System: All items (including Full Control) are selected.
Users: Read&Execute, List Folder Contents, and Read are selected.

Microsoft has reviewed the security settings that are defined in the Setup Security.inf file that is mentioned earlier in this article. As a result of that review, please note the following points:

The following directories were determined to have special access control lists (ACLs) set incorrectly, or not set at all.
The following directories also have a corresponding list of appropriate special ACLs that are based on a review of NTFS permissions on a natively configured NTFS system.
Not all of the following directories are necessarily present on every system. Many directories are pertinent to specific components that may not be installed.

Back to the top

Windows XP

Documents and Settings System and Administrator: Full Users, Power Users, and Everyone: Read and Execute
Documents and Settings\username System and Administrator: Full User: Full
Documents and Settings\Default User Inherited from "Documents and Settings"
Documents and Settings\All Users System and Administrator: Full
Users and Everyone: Read and Execute
Documents and Settings\All Users\Desktop Inherited from "All Users"
Documents and Settings\All Users\Favorite Inherited from "All Users"
Documents and Settings\All Users\Start Menu Inherited from "All Users"
Documents and Settings\All Users\Template Inherited from "All Users"
Documents and Settings\All Users\Shared Documents System and Administrator: Full
Creator Owner: Full
Power Users: Modify
Users: Read, Execute and Write
Documents and Settings\All Users\Application Data Same as "All Users\Documents"
...Application Data\Microsoft\Network\Downloader:
- Full access to LocalSystem
- Full access to Local Administrators
  Note: Inherited ACLs are enabled.
%allusersprofile%\Start menu\Programs\Accessories (and all of the link files and subfolders underneath it) Inherited from %allusersprofile%\Start menu\Programs
%allusersprofile%\Start menu\Programs\Startup Inherited from %allusersprofile%\Start menu\Programs

Back to the top

Windows 2000

Documents and Settings System and Administrator: Full Users, Power Users, and Everyone: Read and Execute
Documents and Settings\username System and Administrator: Full
User: Full
Documents and Settings\Default User Inherited from "Documents and Settings"
Documents and Settings\All Users System and Administrator: Full
Users and Everyone: Read and Execute
Documents and Settings\All Users\Desktop Inherited from "All Users"
Documents and Settings\All Users\Favorite Inherited from "All Users"
Documents and Settings\All Users\Start Menu Inherited from "All Users"
Documents and Settings\All Users\Template Inherited from "All Users"
Documents and Settings\All Users\Shared Documents System and Administrator: Full
Creator Owner: Full
Power Users: Read and Execute, Write
Users: Read, Execute and Write
Everyone: Read and Execute
Documents and Settings\All Users\Application Data Creator Owner: Full

Back to the top

Users: Read&Execute
Everyone: Read&Execute
%allusersprofile%\Start menu\Programs Administrator: Full
Everyone: Read and Execute, List Folder contents
Power Users: Everything but Full Control
System: Full Control
Users: Read and Execute, List Folder contents
Note Everyone has the right to view this file. Only Power Users and Administrators have the privilege to change these folders or files.
%allusersprofile%\Start menu\Programs\Accessories (and all of the link files and subfolders underneath it) Inherited from %allusersprofile%\Start menu\Programs
%allusersprofile%\Start menu\Programs\Startup Inherited from %allusersprofile%\Start menu\Programs

Back to the top

WORKAROUND

To correct the ACLs that are listed for the specified directories in this article, and to correct any additional incorrect settings that the user may have found, you can use the Cacls.exe utility. The Cacls.exe utility (included in systemroot\System32 folder) is a tool designed for modifying permissions (access control lists [ACLs]) of NTFS files and folders.
For additional information about the correct use of the Cacls.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:

318754 (http://support.microsoft.com/kb/318754/EN-US/ ) HOW TO: Use Xcacls.exe to Modify NTFS Permissions

Back to the top