ACE Inheritance Rules

The system propagates inheritable ACEs to child objects according to a set of inheritance rules. The system places inherited ACEs in the child's DACL according to the preferred order of ACEs in a DACL. For Windows NT versions 5.0 and later, the system sets the INHERITED_ACE flag in all inherited ACEs.

The following table shows the ACEs inherited by container and noncontainer child objects for different combinations of inheritance flags. These inheritance rules work the same for both DACLs and SACLs.

Parent ACE type Effect on Child ACL
OBJECT_INHERIT_ACE only
Noncontainer child objects: Inherited as an effective ACE.

Container child objects: Containers inherit an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.

CONTAINER_INHERIT_ACE only
Noncontainer child objects: No effect on the child object.

Container child objects: The child object inherits an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.

CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE
Noncontainer child objects: Inherited as an effective ACE.

Container child objects: The child object inherits an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.

No inheritance flags set
No effect on child container or noncontainer objects.

If an inherited ACE is an effective ACE for the child object, the system maps any generic rights to the specific rights for the child object. Similarly, the system maps generic SIDs, such as CREATOR_OWNER, to the appropriate SID. If an inherited ACE is an inherit-only ACE, any generic rights or generic SIDs are left unchanged so they can be mapped appropriately when the ACE is inherited by the next generation of child objects.

For a case in which a container object inherits an ACE that is both effective on the container and inheritable by its descendants, the container may inherit two ACEs. This occurs if the inheritable ACE contains generic information. The container inherits an inherit-only ACE containing the generic information, and an effective-only ACE in which the generic information has been mapped.

An object-specific ACE has an InheritedObjectType member that can contain a GUID to identify the type of object that can inherit the ACE. If the InheritedObjectType GUID is not specified, the inheritance rules for an object specific ACE are the same as for a standard ACE.

If the InheritedObjectType GUID is specified, the ACE is inheritable by objects that match the GUID if OBJECT_INHERIT_ACE is set, and by containers that match the GUID if CONTAINER_INHERIT_ACE is set. Note that currently only DS objects support object-specific ACEs, and the DS treats all object types as containers.