I’m not sure why, but on a server, in the d:\data directory I ran this command…
cacls . /t /g:usergroup:c
This didn’t have the expected behaviour of granting change to usergroup on the d:\data directory and all files and subdirectories -that would have been too simple.
Instead it replaced the permissions (I should have had the /e) which is fair enough, but WHY OH WHY did it proceed to do it not only on d:\data but also all the files (and subdirectories) in c:\windows (including system32 and other fairly important files). Needless to say I had a very worrying moment – in fact several of them when I discovered i had no access to run cacls anymore (permissions removed) and the only people who could access the windows directory (but with no access to logon locally) were members of the usergroup.
In the end I had to change the permissions, cascading down from windows and then run the Security Analyzer wizard to check that everything was ok.
I have no idea why it suddenly started doing c:\windows. I know I was in the d:\data directory as I checked before hitting return, I could see the present directory after the command finished AND the permissions were also correct on d:\data