🟡 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2012 R2

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Users get Access Denied on Windows Server 2012 R2 file shares because NTFS inheritance was disabled on subfolders during a migration, leaving stale explicit ACEs.

Environment & Reproduction

Reproducible by inspecting permissions on the affected folder.

Get-Acl 'D:DataDept' | Format-List
icacls 'D:DataDept'

Root Cause Analysis

Disabled inheritance prevents new permissions on parent from flowing down; pre-migration ACEs may remain stale.

Quick Triage

Audit ACL state on the share.

icacls 'D:DataDept' /T /Q
Get-Acl 'D:DataDept' | Select -ExpandProperty Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited

Step-by-Step Diagnosis

Identify the divergence point in the tree.

Get-ChildItem 'D:Data' -Recurse -Directory | Get-Acl | Where-Object { -not $_.AreAccessRulesProtected -eq $false }
Illustrative mockup for windows-server-2012-r2 — error_dialog
Access denied dialog — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Re-enable inheritance and propagate parent ACLs.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

icacls 'D:DataDept' /inheritance:e /T
Get-Acl 'D:Data' | Set-Acl 'D:DataDept'
Illustrative mockup for windows-server-2012-r2 — terminal_or_powershell
icacls output — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Reset ACLs to defaults from a known-good baseline.

icacls 'D:DataDept' /reset /T /Q
icacls 'D:DataDept' /grant 'CORPDept-Users:(OI)(CI)M'

Verification & Acceptance Criteria

Affected users can read/write per group membership and Get-Acl shows IsInherited true.

Get-Acl 'D:DataDept' | Select -ExpandProperty Access
icacls 'D:DataDept'

Rollback Plan

Restore the pre-fix ACL from icacls /save backup if changes break other roles.

icacls 'D:Data' /restore C:Tempacl-backup.txt

Prevention & Hardening

Back up ACLs before changes, document folder design, and use Robocopy /SECFIX in migrations.

icacls 'D:Data' /save C:Tempacl-baseline.txt /T

Linked with share permission collisions and DFS namespace ACL drift.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: NTFS permissions and inheritance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.