Microsoft KB Archive/231903

= Access Control Entry Inheritance Changes in Windows 2000 =

Article ID: 231903

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q231903



SUMMARY
This article describes the difference between securable object access control inheritance in Windows 2000 and Microsoft Windows NT 4.0.



Inheritance Behavior in Windows NT 4.0
Windows NT 4.0 allows you to propagate access control entry (ACE) changes to subordinate securable objects only at the time the object is created, or when you apply a new access control list (ACL) to the parent container object. Furthermore, Windows NT 4.0 does not differentiate between ACEs that are inherited from a superior object, and the ACEs applied directly to an object.

For example, the following steps show the limitations of inheritance behavior in Windows NT 4.0:
 * 1) You or your administrator creates a file server share called Accounting. All members in the Accounting department (whose user accounts are members in a local group named Accounting) have Change rights to the Accounting share. The location of the share is E:\Files\Accounting. Your administrator set permissions using NTFS file system permissions.
 * 2) In the permissions dialog box, you or your administrator click to check the Replace Permissions On Subdirectories check box to configure NTFS permissions, and then click OK. When you are prompted to replace all security information on all existing folders and subfolders, click YES. Windows replaces the entire ACL for each subordinate file system object.
 * 3) In the Accounting share is a folder for each user. Each user has been given Full Control rights on their own folder. The Full Control rights are assigned manually, using NTFS folder permissions directly on the folder file system objects.
 * 4) At some future date, you or your administrator provide a human resources oversight group permissions to read files in the Accounting share. If you modify NTFS permissions at the root of the share, and you propagate settings using the Replace Permissions On Subdirectories check box, you delete all of the previously configured subordinate ACLs, because Windows NT 4.0 inheritance cannot distinguish between inherited ACEs and directly applied ACEs.

Inheritance Behavior in Windows 2000
Windows 2000 supports automatic propagation of inheritable ACEs. In addition, ACEs that are directly applied to file system objects are given a higher priority than inherited ACEs. The directly applied ACEs are applied before any conflicting inherited ACEs.

Using the scenario detailed above, the following steps show the new behavior:
 * 1) You or your administrator creates the Accounting file share at E:\Files\Accounting, and then assign the accounting group Change permissions.
 * 2) Every subordinate file system object inherits by default the permissions set on the parent level container.
 * 3) Users can add explicit ACL entries directly upon subordinate objects. Since these ACEs are explicit they have precedence over inherited ACEs.
 * 4) When you make changes to the ACL on the top level folder, you do not delete any of the explicit ACLs defined on the subordinate file system objects.

Keywords: kbenv kbinfo KB231903

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.