How to Reset ACL Inheritance in the Windows 2000 File System (223441)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q223441

SUMMARY

Microsoft Windows 2000 has a significantly new access control paradigm that utilizes dynamic inheritance. This dynamic inheritance model provides users the ability to detach subordinate file system objects from access control inheritance; in fact, such detachment, (also known as Access Control List or ACL "protection"), is required if one wants to remove superior Access Control Entries (ACEs) from applying to the subordinate file system objects altogether.

However, administrators may need a way to blast through a file system and reset inheritance. This is provided through the "Reset permissions on all child objects and enable propagation of inheritable permissions" option so child objects will default back to inheriting permissions from their parent object.

MORE INFORMATION

The "Reset permissions on all child objects and enable propagation of inheritable permissions" option is available for BOTH file system object permissions, as well as for auditing. To re-activate ACL inheritance and remove all custom assigned access control entries for a complete file system tree, perform the following tasks:
  1. Open the Properties dialog box for the top-most object of the file system tree you want to reset, and select the Security tab.
  2. Click Advanced to display the Access Control Settings dialog box.
  3. Check "Reset permissions on all child objects and enable propagation of inheritable permissions" to reset all subordinate file system objects. To reset audit permission, a "Reset auditing entries on all child objects and enable propagation of inheritable auditing entries" option exists under the Auditing tab.
  4. A confirmation dialog box will present itself upon application of the new Access Control setting, to ensure awareness that all subordinate, explicitly defined access control entries will be destroyed by this action. Only inherited access control entries, and legacy access control entries, (entries that left from a pre-upgrade installation of Microsoft Windows NT), will remain on subordinate objects.
Modification Type:MajorLast Reviewed:11/21/2003
Keywords:kbhowto KB223441
©2003 Microsoft Corporation. All rights reserved.