File security permissions inheritance (NTFS ACL) is broken when Acrobat overwrites files with Protected Mode enabled.
File security permissions inheritance (NTFS ACL) is broken when Acrobat overwrites files with Protected Mode enabled.
When Acrobat overwrites a file in Protected Mode, the resulting PDF inherits the ACL of the sandbox temp file (%LocalAppData%\Temp\acrobat_sbx\).
Hence the overwritten file becomes accessible only to the account that performed the overwrite operation.
Other users on the network who access the shared folder using different credentials (e.g., a shared user account) can no longer see or open the file.
Process:
1. Acrobat opens the PDF inside its sandbox (Protected Mode).
2. When overwriting an existing file, it writes a temporary copy to:
%LocalAppData%\Temp\acrobat_sbx\
3. That folder inherits the restrictive ACLs of the root TEMP directory (typically SYSTEM/Admins only).
4. Acrobat then replaces the original file using its internal sandbox I/O.
This replace operation preserves the sandbox ACL instead of reapplying the shared folder’s inherited permissions.
5. Result: users on the share lose access to the overwritten file.
Notes:
- The issue occurs only when overwriting an existing file.
- “Save As” to a new filename inherits permissions correctly.
- Changing permissions on TEMP or acrobat_sbx is technically possible but not recommended
due to security risks and because TEMP is routinely cleared.
Workaround:
As of now, the safer workaround seems to be disabling Protected Mode so that Acrobat writes directly to the shared folder:
Preferences → Security → uncheck “Enable Protected Mode at Startup”.
