Inherited Permissions

Applies To: Windows 7, Windows Server 2008 R2

Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.

Inheritance for all objects

If the Allow and Deny permission check boxes in the various parts of the access control user interface are shaded when you view the permissions of an object, the object has inherited permissions from a parent object. You can set these inherited permissions by using the Permissions tab of the Advanced Security Settings properties page.

There are three recommended ways to make changes to inherited permissions:

  • Make the changes to the parent object where the permissions are explicitly defined, and then the child object will inherit these permissions. For more information, see Set, View, Change, or Remove Permissions on an Object.

  • Select the Allow permission to override the inherited Deny permission.

  • Clear the Include inheritable permissions from this object's parent check box. Then you can make changes to the permissions or remove users or groups from the Permissions list. However, the object will no longer inherit permissions from the parent object.

Note

Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry.

Note

Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.

If the Special Permissions entry in Permissions for <User or Group> is shaded, it does not imply that this permission has been inherited. This means that a special permission has been selected.

On the Permissions tab of the Advanced Security Settings for <Folder> page, in Permission entries, the Apply To column lists what folders or subfolders a permission is applied to. The Inherited From column lists where the permissions have been inherited from.

You can use the Apply To field of the Permission Entry for<Folder> page to select the folders or subfolders you want permissions to be applied to.

For more information about how to complete these tasks, see Set, View, Change, or Remove Permissions on an Object and Determine Where to Apply Permissions.

Inheritance for Active Directory objects

If you use an Apply To option to control inheritance for Active Directory objects, be aware that not only do the objects specified in the Apply To box inherit that access control entry (ACE), but also all child objects also receive a copy of that ACE. The child objects that are not specified in the Apply To box receive copies of the ACE but do not enforce it. If there are enough objects getting copies of this ACE, then that increased amount of data can cause serious performance problems to your network.

If you assign permissions to a parent object and want child objects to inherit these permission entries, you can keep performance optimal by making sure all the child objects have identical access control lists (ACLs). In Windows, single-instancing allows Active Directory Domain Services (AD DS) to store only one copy of all identical ACLs. By creating ACLs that many objects can use, you can preserve the performance of your network.

Additional references