3 files changed, 5 insertions, 3 deletions

diff --git a/lib/chef/file_access_control/windows.rb b/lib/chef/file_access_control/windows.rb
index 6937912849..a7cefdc6d7 100644
--- a/lib/chef/file_access_control/windows.rb
+++ b/lib/chef/file_access_control/windows.rb
@@ -90,10 +90,12 @@ class Chef
         target_acl.each do |target_ace|
           if target_ace.flags & INHERIT_ONLY_ACE == 0
             self_ace = target_ace.dup
+            # We need flag value which is already being set in case of WRITE permissions as 3, so we will not be overwriting it with the hard coded value.
             self_ace.flags = 0 unless target_ace.mask == Chef::ReservedNames::Win32::API::Security::WRITE
             self_ace.mask = securable_object.predict_rights_mask(target_ace.mask)
             new_target_acl << self_ace
           end
+          # As there is no inheritence needed in case of WRITE permissions.
           if target_ace.mask != Chef::ReservedNames::Win32::API::Security::WRITE && target_ace.flags & (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE) != 0
             children_ace = target_ace.dup
             children_ace.flags |= INHERIT_ONLY_ACE
@@ -220,7 +222,7 @@ class Chef
           when :read_execute
             mask |= GENERIC_READ | GENERIC_EXECUTE
           when :write
-            mask |= GENERIC_WRITE
+            mask |= WRITE
           else
             # Otherwise, assume it's an integer specifying the actual flags
             mask |= permission
diff --git a/lib/chef/win32/api/security.rb b/lib/chef/win32/api/security.rb
index bac4ab5450..5c3dd69c3e 100644
--- a/lib/chef/win32/api/security.rb
+++ b/lib/chef/win32/api/security.rb
@@ -115,7 +115,6 @@ class Chef
         STANDARD_RIGHTS_EXECUTE           = READ_CONTROL
         STANDARD_RIGHTS_ALL               = 0x001F0000
         SPECIFIC_RIGHTS_ALL               = 0x0000FFFF
-
         # Access System Security Right
         ACCESS_SYSTEM_SECURITY            = 0x01000000
         # File/Directory Specific Rights
@@ -142,6 +141,7 @@ class Chef
         FILE_GENERIC_WRITE         = STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | SYNCHRONIZE
         FILE_GENERIC_EXECUTE       = STANDARD_RIGHTS_EXECUTE | FILE_READ_ATTRIBUTES | FILE_EXECUTE | SYNCHRONIZE
         WRITE                      = FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA
+        SUBFOLDERS_AND_FILES_ONLY  = INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
         # Access Token Rights (for OpenProcessToken)
         # Access Rights for Access-Token Objects (used in OpenProcessToken)
         TOKEN_ASSIGN_PRIMARY = 0x0001
diff --git a/lib/chef/win32/security/ace.rb b/lib/chef/win32/security/ace.rb
index ba81c44269..d593513983 100644
--- a/lib/chef/win32/security/ace.rb
+++ b/lib/chef/win32/security/ace.rb
@@ -113,7 +113,7 @@ class Chef
           struct[:AceType] = type
           struct[:AceFlags] = flags
           struct[:AceSize] = size_needed
-          struct[:Mask] = mask == Security::GENERIC_WRITE ? Security::WRITE : mask
+          struct[:Mask] = mask
           Chef::ReservedNames::Win32::Memory.memcpy(struct.pointer + struct.offset_of(:SidStart), sid.pointer, sid.size)
           ACE.new(struct.pointer)
         end