Microsoft KB Archive/266461

{|
 * width="100%"|

HOWTO: Use ADSI to Set Automatic Inheritance of File/Folder Permissions

 * }

Q266461

-

The information in this article applies to:


 * Microsoft Active Directory Services Interface, System Component, used with:
 * the operating system: Microsoft Windows 2000

-

SUMMARY
File permissions that are set on files and folders using Active Directory Services Interface (ADSI) and the ADSI resource kit utility, ADsSecurity.DLL, do not automatically propagate down the subtree to the existing folders and files.

To accomplish automatic propagation of inheritable Access Control Entries (ACEs) using ADSI, you need to enumerate existing subfolders and files yourself and apply the inheritable ACEs. Alternatively, you can call the SetSecurityInfo or SetNamedSecurityInfo function directly instead of using ADSI.

MORE INFORMATION
The reason that you cannot use ADSI to set ACEs to propagate down to existing files and folders is because ADSSecurity.dll uses the low-level SetFileSecurity function to set the security descriptor on a folder. There is no flag that can be set by using SetFileSecurity to automatically propagate the ACEs down to existing files and folders. The SE_DACL_AUTO_INHERIT_REQ control flag will only set the SE_DACL_AUTO_INHERITED flag in the security descriptor that is associated with the folder.

Automatic propagation of inheritable ACEs is done only when using the high-level SetSecurityInfo or SetNamedSecurityInfo function. These functions propagate the inheritable ACEs (CONTAINER_INHERIT_ACE or OBJECT_INHERIT_ACE) set on a folder to all existing subfolders and files, as long as the child object's DACL is not SE_DACL_PROTECTED. This is done only in the high-level access control implementation by enumerating the subfolders as well as files, and applying all of the inheritable ACEs.

The following sample VB Script demonstrates how to enumerate folders and files and set file permissions using ADSI and ADsSecurity.DLL:


 * 1) Create a file called SetPerms.vbs and paste the following code:
 * 2) Set the constant &quot;fldname&quot; to the folder where you want to start applying the permissions.
 * 3) Set the constant &quot;usrname&quot; to the name of the Domain account that you are adding the permissions for.
 * 4) Register ADsSecurity.dll (which is in the Platform SDK) by running regsvr32 ADsSecurity.dll at a command prompt.
 * 5) Run SetPerms.vbs by double-clicking it on a computer that has Windows Script Host (WSH) installed.