Access control entries are deleted after you run the ICACLS command remotely against a UNC path with a mount point

Applies to: Windows 8Windows 8 EnterpriseWindows 8 Pro More

Symptoms


Consider the following scenario:

  • On a computer that's running Windows 8 or Windows Server 2012, you create a mount point for a volume that uses the NTFS file system. For example, you format an NTFS volume and then mount it under the E:\StandardFolder\MountPoint folder.
  • You share the root directory of volume E, and you access the mount point through the \\ServerName\StandardFolder\MountPoint UNC path.
  • You run the following ICACLS command to check the access control entries to the UNC path:
    ICACLS \\ServerName\StandardFolder\MountPoint\StandardFolder


    All the entries are displayed as follows:
    ServerName\Volume-managers:(I)(OI)(CI)(F)

    BUILTIN\Administrators:(I)(OI)(CI)(F)
    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  • You run the following ICACLS commands to grant rights remotely to a domain account against the UNC path from a Windows 8-based computer: 
    ICACLS \\ServerName\StandardFolder\MountPoint\StandardFolder /grant domain\useraccount:(OI)(CI)RXW  
    ICACLS \\ServerName\StandardFolder\MountPoint\StandardFolder /grant domain\useraccount:(OI)(CI)(IO)M
When you run the ICACLS command to check the access control entries again in this scenario, you find that the  ServerName\Volume-managers:(I)(OI)(CI)(F) entry is deleted.

Notes 
  • The ServerName\Volume-managers is a custom local group. The group has full control on the volume that you used to create the mount point.
  • This issue does not occur when you run the ICACLS commands locally against a UNC path.  

Workaround


To work around this issue, create a subfolder under the mount point, as follows:
\\servername\standardfolder\mountpoint\standardfolder\subfolder