Unable to rename file or folder without the "Erase" right

  • 7022609
  • 29-Jan-2018
  • 28-Mar-2018

Environment

Client for Open Enterprise Server 2 SP4 (IR5)

Situation

After upgrading from Client for Open Enterprise Server 2 SP4 (IR4) to Client for Open Enterprise Server 2 SP4 (IR5) or Client for Open Enterprise Server 2 SP4 (IR6), users who were previously able to create or rename a file or folder (e.g. they have RWCMF rights) are no longer able to do so.

The error "You require permission from S-1-1-0 to make changes to this folder" is returned when a user without the "Erase" right attempts to rename a file or folder residing on an NCP volume.

Giving the user the "Erase" right resolves the problem.

Resolution

This is working correctly, and as designed.

Previously, the Client for Open Enterprise Server was not strictly in compliance with the Microsoft file system standard. "DELETE" is the permission Windows uses for both "erase" and "rename", so withholding the NCP-level "ERASE" trustee assignment prevents both. Note that creating a file or folder is also affected, since an application calling CreateFile may have the intention of eventually asking for a rename (or delete) operation using that file handle.

Now, the Client for Open Enterprise Server conforms to the Microsoft standard, such that the "Erase" right is required to erase or rename a file or folder.

Additional Information

There may be rare circumstances where the previous behavior is required. For these cases, a registry setting can be applied which will revert to the pre-Client for OES 2 SP4 (IR5) behavior.

NOTE: Implementing this policy can re-introduce scenarios where Windows applications actually expected an ACCESS_DENIED during CreateFile". This is the problem which was addressed in Client for OES 2 SP4 (IR5).

To enable this policy (not recommended):

Add a DWORD_32 value "Defer Windows DELETE Access Check" with data of "1" under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NCFSD