Understanding Container Access Inheritance Flags in Windows 2000 (220167)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q220167

SUMMARY

Windows 2000 provides for the inheritance of access control entries (ACEs) through the file system hierarchy.

For the purposes of Access Control inheritance, there are two types of objects in Windows NT, containers and non-containers. Access control entries on container objects can be configured to propagate to subordinate objects. This propagation is accomplished using container access inheritance flags, which are written to specific access control entries that are applied on the container itself.

In the Windows 2000 file system, Administrators can configure this information by accessing the Advanced dialog box of the Access Control Editor, which is found on the Security tab of the Properties dialog box for the object, and then clicking Edit on the View menu. Container inheritance is present in the Apply Onto box of the box displaying ACE entries. When an administrator adds a new ACE to the access control list, he or she can select the scope of the entry's inheritance. The following are specific to the NTFS file system:
  • "This folder only" Apply Onto value, no ACE flags: No inheritance applies to ACE.
  • "This folder, subfolders, and files" Apply Onto value, (OI), (CI) ACE flags: All subordinate objects inherit this ACE, unless they are configured to block ACL inheritance altogether.
  • "This folder and subfolders" Apply Onto value, (CI) ACE flag: ACE propagates to subfolders of this container, but not to files within this container.
  • "This folder and files" Apply Onto value, (OI) ACE flag: ACE propagates to files within this container, but not to subfolders.
  • "Subfolders and files only" Apply Onto value, (IO), (CI), (OI) ACE flags: ACE does not apply to this container, but does propagate to both subfolders and files contained within.
  • "Subfolders only" Apply Onto value, (IO), (CI) ACE flags: ACE does not apply to this container, but propagates to subfolders. It does not propagate to contained files.
  • "Files only" Apply Onto value, (IO), (OI) ACE flags: ACE does not apply to this container, but propagates to the files it contains. Subfolders do not receive this ACE.
  • "Apply these permissions to objects and/or containers within this container only" Apply Onto value, adds (NP) ACE flag: This flag limits inheritance only to those sub-objects that are immediately subordinate to the current object.

MORE INFORMATION

The ACL flags have the following meanings:
  • IO: Inherit Only - This flag indicates that this ACE does not apply to the current object.
  • CI: Container Inherit - This flag indicates that subordinate containers will inherit this ACE.
  • OI: Object Inherit - This flag indicates that subordinate files will inherit the ACE.
  • NP: Non-Propagate - This flag indicates that the subordinate object will not propagate the inherited ACE any further.
Modification Type:MajorLast Reviewed:11/21/2003
Keywords:kbenv kbinfo KB220167
©2003 Microsoft Corporation. All rights reserved.