Access Control Entry Inheritance for Active Directory Objects

ID: Q221241

The information in this article applies to:

Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server

SUMMARY

Windows 2000 Active Directory objects have security settings similar to security settings for file system objects on partitions using the NTFS file system. These permissions are different from those placed on file system objects, in that their inheritance attributes can be applied to subordinate objects based on the object type.

This information is configured in the Permission Entry dialog box. To view the Permission Entry dialog box, right-click the object in question, click Properties, click the Security tab, click Advanced, and then click Edit on the View menu.

MORE INFORMATION

For file system objects, an administrator can designate access control list (ACL) inheritance based on whether or not sub-objects are containers, and for each of the six possible combinations of containers and sub-objects. For additional information, please see the following article in the Microsoft Knowledge Base:

Q220167 Understanding Container Access Inheritance Flags in Windows 2000

Active Directory objects have all of the inheritance options present for file system objects. They also have an additional level of options in the Apply Onto box: the Object Specific access control entry (ACE). This flag, when set, dictates that this ACE applies only if the object type of the subordinate object is an identical match with the object type listed in the Object Specific ACE.

This means that for Active Directory objects you can define inheritance based not only on whether or not sub-objects are containers or files, but also dependent upon which specific type of sub-object the sub-object is a member of. This information is gathered from the schema, where all potential sub-object types for any Active Directory container are defined.

For example, Active Directory Organizational Units (OUs) are container objects that can contain contact objects, computer objects, group objects, and site container objects, as well as a long list of other object types. It is possible, using the ACL editor in the context of the Active Directory, to define access control list entries for which inheritance is determined by the specific sub-object type. In this example, therefore, it is possible to create an access control entry on an organizational unit that only grants inheritance to subordinate contact objects.

Additional query words:

Keywords : kbenv
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo