Changing inherited permissions
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Changing inherited permissions
Inheritance for all objects
If the check boxes are shaded when you view the permissions of an object, the object has inherited permissions from the parent object. There are three ways to make changes to inherited permissions:
Make the changes to the parent object, and then the child object will inherit these permissions.
Select the opposite permission (Allow or Deny) to override the inherited permission.
Clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box. Then you can make changes to the permissions or remove users or groups from the Permissions list. However, the object will no longer inherit permissions from the parent object.
Notes
Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry.
Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. For more information, see Explicit vs. inherited permissions.
On the Advanced page, in Permission entries, the Apply To column lists what folders or subfolders a permission is applied to. The Inherited From column lists where the permissions have been inherited from.
You can use the Apply onto field to select the folders or subfolders you would like permissions to be applied to. For more information, see Explicit vs. inherited permissions.
If the Special Permissions entry in Permissions for User or Group is shaded, it does not imply that this permission has been inherited. This means that a special permission has been selected. For more information, see Set, view, change, or remove special permissions and Selecting where to apply permissions.
Inheritance for Active Directory objects
For Active Directory objects, when using the Apply Onto option to control inheritance, be aware that not only will the objects specified in the Apply onto field inherit that access control entry (ACE) but all child objects will also receive a copy of that ACE. The child objects that are not specified in the Apply onto field will receive copies of the ACE but will not enforce it. If there are enough objects that will get copies of this ACE, then that increased amount of data can cause serious performance problems to your network.
If you assign permissions to a parent object and want child objects to inherit these permission entries, you can keep performance optimal by making sure all the child objects have identical access control lists (ACLs). In the Windows ServerĀ 2003 family single-instancing allows for the Active Directory to store only one copy of all identical ACLs. By creating ACLs that many objects can utilize, you can preserve the performance of your network.