3.1.1.3.3.10 fixupInheritance

  • Article

The fixupInheritance attribute permits administrative tools to request that the DC recompute inherited security permissions on objects to ensure that they conform to the security descriptor requirements (see section 6.1.3), in case the current state of the permissions on the object is erroneous. This operation is not necessary on a correctly functioning DC. The requester MUST have the "Recalculate-Security-Inheritance" control access right on the nTDSDSA object for the DC. The LDAP operation returning success means the system accepts the request to perform security-descriptor propagation.

This operation is triggered by setting the fixupInheritance attribute to "1".

The following shows an LDIF sample that performs this operation.

 dn:
 changetype: modify
 add: fixupInheritance
 fixupInheritance: 1
 -

In Windows Server 2003 operating system and later, setting the fixupInheritance attribute to the special values "forceupdate" and "downgrade" has effects outside the state model.

In Windows Server 2003 and later, the fixupInheritance attribute can trigger security-descriptor propagation under an object, specified using an identifier outside the state model, rather than throughout the directory. This is performed by setting the fixupInheritance attribute to the string "dnt:" followed by an implementation-specific identifier representing the object. Consider the following example.

 dn:
 changetype: modify
 add: fixupInheritance
 fixupInheritance: dnt:54758
 -