Inherited Permissions

Applies To: Windows Server 2008

Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.

Inheritance for all objects

If the Allow and Deny permission check boxes in the various parts of the access control user interface are shaded when you view the permissions of an object, the object has inherited permissions from the parent object. You can set these inherited permissions through the Permissions tab of the Advanced Security Settings Properties page. There are three recommended ways to make changes to inherited permissions:

  • Make the changes to the parent object where the permissions are explicitly defined, and then the child object will inherit these permissions.

  • Select the Allow permission to override the inherited Deny permission.

  • Clear the Include inheritable permissions from this object's parent check box. Then you can make changes to the permissions or remove users or groups from the Permissions list. However, the object will no longer inherit permissions from the parent object.

Note

Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry.

Note

Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.

If the Special Permissions entry in Permissions for <User or Group> is shaded, it does not imply that this permission has been inherited. This means that a special permission has been selected.

On the Permissions tab of the Advanced Security Settings for <Folder> page, in Permission entries, the Apply To column lists what folders or subfolders a permission is applied to. The Inherited From column lists where the permissions have been inherited from.

You can use the Apply onto field of the Permission Entry for<Folder> page to select the folders or subfolders you would like permissions to be applied to.

Inheritance for Active Directory objects

For Active Directory objects, when using an Apply Onto option to control inheritance, be aware that not only do the objects specified in the Apply onto field inherit that access control entry (ACE), but also all child objects also receive a copy of that ACE. The child objects that are not specified in the Apply onto box receive copies of the ACE but do not enforce it. If there are enough objects getting copies of this ACE, then that increased amount of data can cause serious performance problems to your network.

If you assign permissions to a parent object and want child objects to inherit these permission entries, you can keep performance optimal by making sure all the child objects have identical access control lists (ACLs). In Windows Server 2003, single-instancing allows for Active Directory to store only one copy of all identical ACLs. By creating ACLs that many objects can utilize, you can preserve the performance of your network.

For more information about permissions, see the following topics:

For more information about permissions for Active Directory objects, see Access control in Active Directory (https://go.microsoft.com/fwlink/?LinkId=63972).