I recently had a struggle with Windows File Permissions on my MID Servers and got into a real mess. So I though I would share my learnings.

The problem became apparent when we saw errors (about File permissions) in the MID Server logs.

Agent Configuration Parameter

In the config.xml, there is a configuration parameter that controls if the PowerShell Startup Script should be run.

This PowerShell Script changes the permissions of the agent folder (non-inherited)  as described below.

You can turn off this script using this config:

<!-- Added by Doug Connell on 20201-05-20 This stops the Agent from Changing permissions on the agent folder -->
    <parameter name="mid.windows_host.file_permissions.enforce" value="false"/>

Changing Permissions

Changing permissions on Files and Folders in Windows is a pain.  (This is where Unix wins by a mile).
But it can be achieved in Windows if you follow some basic rules.  The key is to change the file ownership before attempting to change an permissions.

1. Make sure you turn off the PowerShell Scrip that automatically changes the permissions when the Agent starts - otherwise it gets very confusing. (see above).
2. Don't try and change permissions with PowerShell; you can do everything faster and better with File Explorer. 
3. Open File Explorer (not 100% sure this is necessary - but does no hurt).
   1. Open a CMD Prompt as Administrator
   2. Type Explorer to Open File Explorer as Administrator
4. Change Ownership of all Files and Folders
   1. Right Click on your top level parent and select Properties. Click on the Security Tab and Click on Advanced.
   2. Change the Ownership to You (your logged in Account)
   3. Click on the option to propagate the ownership change to all Children (sub-folder and files)
5. Set Permissions On Parent Folder
   1. Pick a parent folder from which you will set the permissions.  For example, all my SN Agents are Installed under: D:\Apps\ServiceNow 
   2. Set the Parent Folder to Non-Inherited
   3. Set all permissions on the Parent (read, write, execute etc.) for the User Accounts that you want.
      1. For Example, I set read-only for everyone, and ticked on all permissions for me, the service account, and the Administrators Group.
6. Now you can change the permissions on Sub Folders and Files. 
   1. Change everything to inheritable from the Current (Parent) folder.
   2. Use the option For the This Folder, Subfolder and Files
   3. Click on the Option: Replace all child object permission entries with inheritable permissions from this object