Automatic Propagation of Inheritable ACEs

[This is preliminary documentation and subject to change.]

In Windows NT versions 4.0 and earlier, a securable object could inherit ACEs only when it was being created or when a new ACL was being applied to the object. The system did not propagate inheritable ACEs to existing child objects. The system did not differentiate between inherited ACEs and ACEs that were applied directly to the object. The system did not allow an object to protect itself from inherited ACEs.

For Windows NT version 5.0 and later, the SetNamedSecurityInfoEx and SetSecurityInfoEx functions support automatic propagation of inheritable ACEs. For example, if you use these functions to add an inheritable ACE to a directory in an NTFS file system, the system applies the ACE as appropriate to the ACLs of any subdirectories or files.

Windows NT version 5.0 also introduces a new inheritance model in which directly applied ACEs have precedence over inherited ACEs. The system implements this precedence by placing directly applied ACEs ahead of inherited ACEs in a DACL. Earlier versions of Windows NT did not distinguish between inherited and directly applied ACEs. Consequently, the order of ACEs in a DACL is different for the current and the previous inheritance models. When you call SetNamedSecurityInfoEx and SetSecurityInfoEx to set an object's security information, the system imposes. the new inheritance model on the ACLs of all objects in the hierarchy below the target object. For objects that have been converted to the new inheritance model, the SE_DACL_AUTO_INHERITED and SE_SACL_AUTO_INHERITED bits are set in the control field of the object's security descriptor.

The system uses the following rules for propagating inherited ACEs to child objects.

• If a child object with no DACL inherits an ACE, the result is a child object with a DACL containing only the inherited ACE.
• If a child object with an empty DACL inherits an ACE, the result is a child object with a DACL containing only the inherited ACE.
• If you remove an inheritable ACE from a parent object, automatic inheritance removes any copies of the ACE inherited by child objects.
• If automatic inheritance results in the removal of all ACEs from a child object's DACL, the child object has an empty DACL rather than no DACL.

These rules can have the unexpected result of converting an object with no DACL to an object with an empty DACL. An object with no DACL allows full access, but an object with an empty DACL allows no access. As an example of how these rules can create an empty DACL, suppose you add an inheritable ACE to the root object of a tree of objects. Automatic inheritance propagates the inheritable ACE to all the objects in the tree. Child objects that started with no DACL now have a DACL with the inherited ACE. If you remove the inheritable ACE from the root object, the system automatically propagates the change to the child objects. Child objects that started with no DACL (allowing full access) now have an empty DACL (allowing no access).

To ensure that a child object with no DACL is not affected by inheritable ACEs, set the SE_DACL_PROTECTED flag in the object's security descriptor.