windows allows alternative acl semantics when files are being moved on one NTFS volume. With HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MoveSecurityAttributes = 0 (on the client) the ACLs are being set like if the file would have been copied there and not moved. This worked with Windows XP. With Windows 7 and Vista a hotfix was needed to make this work: http://support.microsoft.com/kb/2617058 See also http://support.microsoft.com/kb/310316 We should also support this MoveSecurityAttributes=0 semantic.
by the way with win XP MoveSecurityAttribytes defaults to 1 (ACLs stay) with Win 7 the default behaviour is MoveSecurityAttribytes=0 but the registry key only comes with the before mentioned hotfix. The resetting of the ACLs is being done by Explorer on client-side however, not by the server. the kb2617058 is also quite confusingly written as is only suggests to set MoveSecurityAttribytes=0 - which is already the Win 7 default. The patch allows to do the opposite - set that thing to 1 again - to the XP default. nice read about this: http://blogs.msdn.com/b/oldnewthing/archive/2013/09/24/10451467.aspx looks like there is actually nothing to do for us here.