Subordinate Explicit Grant Overrides Inherited Denial (233419)



The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional

This article was previously published under Q233419

SUMMARY

Windows 2000 includes a new Access Control List (ACL) inheritance model that provides for the dynamic inheritance of Access Control List Entries (ACEs) from parent container objects. This dynamic behavior allows ACEs to be changed on a superior container, and to have those changes automatically propagated to subordinate objects.

In addition, the access control mechanism distinguishes between inherited access control entries and explicit entries, so that explicit entries always take precedence over inherited entries.

This may lead to a situation in which inherited "DENY" access control entries may be pre-empted by the existence of explicit "ALLOW" entries on subordinate objects. This is a different outcome from that in Microsoft Windows NT 4.0.

MORE INFORMATION

Windows NT 4.0 Server does not implement ACL inheritance; instead, it gives administrators the ability to propagate explicit access control entries down a file system hierarchy. This meant that all access control entries are explicit entries. DENY entries are always sorted to the top of the list, and have precedence over ALLOW entries.

Windows 2000 includes ACL inheritance. This inheritance is also of concern with respect to the security of Active Directory objects. Active Directory objects automatically have explicit access control entries assigned upon their creation, based on settings in the Schema. For example, suppose an administrator creates an Organizational Unit with specific DENY permissions. If users are created within that container, they have the default explicit ALLOW permissions that override the inherited permissions.

Modification Type:MajorLast Reviewed:10/6/2003
Keywords:kbenv kbinfo KB233419