Access Control Entry Inheritance for Active Directory Objects (221241)

MORE INFORMATION

For file system objects, an administrator can designate access control list (ACL) inheritance based on whether or not sub-objects are containers, and for each of the six possible combinations of containers and sub-objects. For additional information, please see the following article in the Microsoft Knowledge Base: Active Directory objects have all of the inheritance options present for file system objects. They also have an additional level of options in the Apply Onto box: the Object Specific access control entry (ACE). This flag, when set, dictates that this ACE applies only if the object type of the subordinate object is an identical match with the object type listed in the Object Specific ACE.

This means that for Active Directory objects you can define inheritance based not only on whether or not sub-objects are containers or files, but also dependent upon which specific type of sub-object the sub-object is a member of. This information is gathered from the schema, where all potential sub-object types for any Active Directory container are defined.

For example, Active Directory Organizational Units (OUs) are container objects that can contain contact objects, computer objects, group objects, and site container objects, as well as a long list of other object types. It is possible, using the ACL editor in the context of the Active Directory, to define access control list entries for which inheritance is determined by the specific sub-object type. In this example, therefore, it is possible to create an access control entry on an organizational unit that only grants inheritance to subordinate contact objects.