Permission Inheritance Behavior Between Windows 2000 and Windows NT 4.0 (287024)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server 4.0
This article was previously published under Q287024

SUMMARY

This article describes how the inheritance security model functions in a mixed environment (Windows 2000 and Windows NT 4.0).

Windows 2000 added significant enhancements to the Windows Access Control Model over earlier versions of Windows. As a result, there are additional complexities when you view or modify Access Control Lists (ACLs) between Windows 2000 and earlier versions of Windows (for example, Windows NT 4.0). In some cases, if you turn on new features you cannot view or edit the permissions from a Windows NT 4.0 operating system.

A best practice is to always use the same version of operating system (Windows NT 4.0 or Windows 2000) to view and edit ACLs created by that operating system. If you modify with a Windows 2000 computer an ACL that was created with Windows NT 4.0, use Windows 2000 to view and edit ACLs from that time forward.

MORE INFORMATION

Windows 2000 introduces the inheritance security model that enables a child object to "inherit" the permissions that are defined on the parent. This behavior differs from the legacy model (Windows NT 3.51 and 4.0) where security is explicitly defined for each object.

Viewing Permissions Set by Windows 2000 on a Windows NT 4.0-Based Computer

On a Windows NT 4.0-based computer, if you view the permissions on a file or a registry that was edited by the Windows 2000 access control list (ACL) editor, if the registry or the file contains inherited permissions, the ACL editor reports that the permissions are explicitly defined. The permissions are displayed in the ACL editor as if they were explicitly defined on the child object.

However, if the Windows 2000-based computer has enabled any of the extended attributes, such as Deny, the permissions are displayed in a different manner. You can only read the extended attributes from a Windows 2000-based computer, or a Windows NT 4.0-based computer that uses the Windows 2000-style ACL editor that is included with the Security Templates. In the updated editor for Windows NT 4.0, extended attributes are displayed as the inheritance status for permissions that are inherited. For more information about Security Templates, see the Microsoft Knowledge Base articles that are listed at the end of this article.

When you try to view permissions that contain extended attributes by using a Windows NT 4.0-based computer that does not have Security Templates, the following message is displayed:

The security information for path is not standard and cannot be displayed. Windows NT 3.x and Windows NT 4.0 support certain features such as DenyAccess Control Entries but cannot edit security information which uses these features. The information may have been modified by a computer running Windows NT 5.0, which supports these features and can edit information that uses them.

Do you want to overwrite the current security information?

If you click Yes, you are prompted to create new permissions for the target. The permissions that you enter overwrite all the existing permissions. It is not recommended that you overwrite the permissions unless you are intending to re-create them. Instead, use the Windows 2000 ACL editor or the Windows 2000-style ACL editor for Windows NT 4.0 that is included with the Security Templates.

Viewing Permissions Set by Windows NT 4.0 on a Windows 2000-Based Computer

In Windows NT 4.0, you cannot enable inherited permissions. When a Windows 2000 ACL editor views the permissions, it performs a check to see if the permissions on the parent and the child qualify as inherited. In other words, it checks to see if the parent and the child permissions match. The check is done for each entry so that the permissions that match are displayed as inherited, and the permissions that do not match are displayed as explicitly defined. If the permissions match in the ACL editor, the permissions on the child are displayed as inherited, even though a Windows NT 4.0 ACL editor explicitly defined these permissions.

If you change the permissions that previously qualified as inherited on the Windows NT 4.0-based computer so that the permissions no longer match, the Inheritance check box is cleared when you view the check box on a Windows 2000-based computer. If you modify the inherited permissions on a child object in Windows 2000, you would see the same results.

When you view the Windows NT 4.0 permissions from a Windows 2000-based computer, the permissions on the current folder or any of the subfolders are not changed. The ACL is rewritten using the Windows 2000 format that sets the inheritance bit only when you change the permissions on the Windows 2000-based computer. When you view the updated permissions from a Windows NT 4.0-based computer, they follow the behavior described in the preceding section.

When you install the Security Configuration Manager on a Windows NT 4.0-based computer, the Windows 2000-style editor replaces the existing editor. In this case, the Windows NT 4.0-based computer views and edits permissions in the same way as a Windows 2000-based computer. To provide a consistent ACL editor for both platforms, you can install the Security Templates on the Windows NT 4.0-based computer.

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

195227 SP4 Security Configuration Manager Available for Download

195509 Installing SCM from SP4 Changes Windows NT 4.0 ACL Editor

223441 How to Reset ACL Inheritance in the Windows 2000 File System

178170 ACL Editor and Inheritance of Permissions

231903 Access Control Entry Inheritance Changes in Windows 2000

Modification Type:MinorLast Reviewed:1/18/2006
Keywords:kbACL kbinfo KB287024
©2004 Microsoft Corporation. All rights reserved.