A couple possibilities are that a script, such as a Group Policy
startup/shutdown script, or via Scheduled tasks is running that is using
cacls or xcacls to set folder file permissions. Another possibility is that
Group Policy computer configuration is using file system settings to
set/enforce permissions on folder or files. It may help to enable auditing
of object access on the computer where this is happening and then audit that
file for change permissions and deletion to see what events are recorded in
the security log, particulalry Event ID's 560 and 562, that may help you
track down what is going on. Keep in mind that if a user or application is
"moving" [offline files??] a file with the same name from somewhere else on
the volume the file that is moved will retain it's original permissions You
can check a file's properties to see the date it was created or modified.
Also check to see if inheritance has been enabled on the file after the
permissions change. --- Steve
