Top level folders show permissions inherited from Parent Object - who's the Parent?
One way that this can be caused (though I can't say not this is exactly the cause of what you're seeing) is by moving directories in the volume after they've had permissions applied from a parent object. Object permissions are added at time of creation, and though it appears that Microsoft has "changed the rules" on this a little bit over time (see my comments below) I suspect there are still sharp edge-cases in the code where this holds true.
It looks like Windows Server 2012 tries much harder than prior versions of Windows to "correct" for this behavior. Here's instructions to reproduce the behavior in Windows Server 2008, though:
- Make a folder "D:\Test"
- Edit the NTFS permission and add "Guests / Full Control" to the "D:\Test" folder
- Make a child folder "D:\Test\Test-Child"
- From an elevated command prompt, execute
move D:\Test\Test-Child D:\
.
When you examine the permissions of the "D:\Test-Child" folder you'll see "Guests / Full Control" being inherited from the "Parent Object".
I can't repro this on Windows Server 2012, which tells me that Microsoft has added some code to cover this particular edge case.
Raymond Chen posted about this behavior on his blog back in 2006. I commented on this, saying that it was a design flaw. I find it interesting that, years later, somebody else at Microsoft agreed and changed the behavior.