On a Microsoft Windows Server 2003-based computer, when you use Microsoft Windows Explorer or the Cacls.exe utility, you cannot assign NTFS file system permissions to the root directory of an NTFS volume if the volume is mounted by using a mount point, or no drive letter. Instead, if you apply permissions to the mount point folder, the permissions are applied to the folder itself, but the permissions are not applied to the underlying root directory of the mounted volume. When you apply the permissions, you do not receive a message that warns you about this issue.
If you use the procedure that is documented in the following Microsoft Knowledge Base article to address this issue, the suggested resolution may not work on an active volume because you may not be able to un-assign the temporary drive letter if the volume is in use. If you have several mounted volumes, you may run out of drive letters and may not be able to apply new permissions until after you restart your computer:
237701 Cacls.exe cannot apply security to root of a volume mount point
In its current implementation, the Cacls.exe utility cannot use the volume GUID to set permissions on the root of a mounted NTFS volume.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
No prerequisites are required.
You do not have to restart your computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003
Date Time Version Size File name ----------------------------------------------------- 12-Dec-2003 18:28 5.2.3790.110 20,480 Cacls.exe 12-Dec-2003 02:40 5.2.3790.112 37,888 Ws03res.dll
Windows Server 2003, 64-Bit
Date Time Version Size File name Platform ---------------------------------------------------------------- 09-Dec-2003 22:44 5.2.3790.110 49,152 Cacls.exe IA-64 12-Dec-2003 00:40 5.2.3790.112 37,376 Ws03res.dll IA-64 12-Dec-2003 16:28 5.2.3790.110 20,480 Wcacls.exe x86 12-Dec-2003 00:40 5.2.3790.112 37,888 Wws03res.dll x86
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
After you apply the hotfix that is described in this article, you can use the Cacls.exe utility to add or to remove NTFS permissions to NTFS volumes that have a volume mount point as their only path. This hotfix adds a new command-line switch (cacls /m) that provides Cacls.exe with the functionality to apply permissions to a mount point folder and to apply permissions to the underlying root of the mounted volume.
Description of updated Cacls.exe usage and command-line switches
CACLS FileName [/T] [/M] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]] FileName Displays ACLs. /T Changes ACLs of specified files in the current directory and in all subdirectories. /M Changes ACLs of volumes mounted to a directory /E Edit ACL instead of replacing it. /C Continue on access denied errors. /G user:perm Grant specified user access rights. Perm can be: R Read W Write C Change (write) F Full control /R user Revoke access rights of a specified user (only valid with /E). /P user:perm Replace access rights of a specified user. Perm can be: N None R Read W Write C Change (write) F Full control /D user Deny specified user access.Wildcard characters can be used to specify more than one file in a command. You can specify more than one user in a command.Abbreviations: CI - Container Inherit. The ACE will be inherited by folders. OI - Object Inherit. The ACE will be inherited by files. IO - Inherit Only. The ACE does not apply to the current file or folder.
With additional enhancements to the Cacls.exe utility, you can specify a volume GUID as the target instead of specifying the drive letter as the target. For example, instead of using the drive letter, type the following command at the command prompt: