P2 · Windows Server

NTFS Permissions Broken — Access Denied After Migration, Inheritance Change or Ownership Loss

Users receive 'Access is denied' on file shares or local folders after a server migration, permission inheritance was disabled accidentally, or ownership has been transferred to an unknown SID from a previous domain. NTFS and share permissions are evaluated independently — access is the more restrictive intersection of both.

Indicators

'Access is denied' on a share or folder that previously worked
Users lost access after file server migration to new hardware or domain
Security tab in folder Properties shows SIDs (S-1-5-21-...) instead of account names
Inheritance indicator missing — folder shows unique permissions not inherited from parent
Administrator account cannot access folder — Ownership shows SYSTEM or former domain account

Likely causes

SID mismatch after domain migration — old SIDs no longer resolve to current domain accounts
NTFS inheritance disabled accidentally during security hardening
Share permissions set to 'Everyone: Read' conflict with NTFS 'Deny' for the user
Folder ownership changed to SYSTEM or a service account, blocking admins
Xcopy / Robocopy migration without /COPYALL flag — ACLs not preserved
Group Policy Security filtering or GPP file preference overwriting permissions

Diagnostic steps

Check effective permissions: right-click folder > Properties > Security > Advanced > Effective Access — select a specific user or group to see what they can actually do
List ACL with icacls: icacls "C:\path\to\folder" — look for unresolved SIDs (S-1-5-21-...) indicating orphaned permissions from old domain accounts
Check share permissions separately: net share <sharename> or Get-SmbShareAccess -Name <sharename> — share perms and NTFS perms stack; effective access = most restrictive
Take ownership if locked out (run as local admin from elevated prompt): takeown /F "C:\path" /R /D Y then icacls "C:\path" /grant "BUILTIN\Administrators:(OI)(CI)F" /T
Reset inheritance to restore default inherited permissions: icacls "C:\path" /reset /T /C — caution: this removes explicit ACEs, use on correct path only
After domain migration: use ADMT (Active Directory Migration Tool) SID history mapping, or use SetACL to translate old-domain SIDs to new-domain equivalents in bulk

Resolution path

Use Effective Access to confirm exactly what the user can or cannot do
Take ownership if administrators are locked out
Replace unresolved SIDs with current domain groups using icacls or SetACL
Re-enable inheritance or explicitly grant required permissions
Verify share permissions are not overly restrictive on top of correct NTFS ACLs

Prevention

Always use Robocopy /COPYALL or /SEC when migrating file servers to preserve ACLs
Document permission structure before any server migration
Run ADMT SID history migration before decommissioning source domain
Audit file server permissions quarterly with Get-Acl and export to CSV

Tools

icacls.exe (list, set, reset, takeown permissions)
takeown.exe (ownership recovery)
Get-Acl / Set-Acl (PowerShell)
Get-SmbShareAccess (share permissions)
Advanced Security Settings dialog (Effective Access tab)
ADMT — Active Directory Migration Tool (SID history)
SetACL (bulk ACL translation)

ntfspermissionsaccess-deniedicaclsaclinheritanceownershipfile-servermigrationwindows-server