Access Control Inheritance

Platform SDK: Active Directory, ADSI, and Directory Services

Access Control Inheritance

ACEs in an object's ACL can belong to one of two categories:

Effective ACL. ACEs in this category apply to the object itself.
Inherit ACL. ACEs in this category are inherited by objects created in the container.

Each ACE in the DACL can be in one or more categories. The categories for where an ACE belongs are determined by the inheritance control flags set in the ACE.

There are three inheritance control flags that can be set in the AceFlags property of an ACE:

ADS_ACEFLAG_INHERIT_ACE: This flag indicates that the ACE is part of the inherit ACL and that child objects will inherit the inheritance control flags of this ACE.
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE: This flag indicates that the ACE is part of the inherit ACL, but that no inheritance control flags are propagated to direct child objects (direct descendants) and the ACE is effective on the direct child objects.
ADS_ACEFLAG_INHERIT_ONLY_ACE: This flag indicates that the ACE is not part of effective ACL.
If this flag is not set, then the ACE is part of the effective ACL. This flag is useful for setting permissions inheritable by subobjects, but do not affect accessibility of the container itself. For example, if an ACE is intended to be inherited by user objects in a organizational unit, there is a good chance that it should not be enforced for access to the organizational unit itself.

The ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE and ADS_ACEFLAG_INHERIT_ONLY_ACE flags are meaningful only if ADS_ACEFLAG_INHERIT_ACE is present. This is because the ADS_ACEFLAG_INHERIT_ACE flag adds inheritance behavior to an inheritable ACE but does not define the type of inheritance. The ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE and ADS_ACEFLAG_INHERIT_ONLY_ACE flags define a specific type of inheritance behavior.

Note that the system also sets the following flags based on the type and state of the ACE:

ADS_ACEFLAG_INHERITED_ACE: This flag indicates that the ACE was inherited.
ADS_ACEFLAG_VALID_INHERIT_FLAGS: This flag indicates that the inherit flags are valid.

The following table shows the effects of the different flag combinations for the AceFlags property of an ACE.

AceFlags	Effect on object containing the ACE	Effect on direct child objects	Effect on objects below direct children
No flags set.	Effective ACE: ACE applies to the object.	ACE is not inherited.	ACE is not inherited.
ADS_ACEFLAG_INHERIT_ACE	Effective ACE	ACE is inherited. ACE is an effective ACE.	ACE is inherited. ACE is an effective ACE.
ADS_ACEFLAG_INHERIT_ACE \| ADS_ACEFLAG_INHERIT_ONLY_ACE	Not an Effective ACE: ACE does not apply to the object.	ACE is inherited. ACE is an effective ACE.	ACE is inherited. ACE is an effective ACE.
ADS_ACEFLAG_INHERIT_ACE \| ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE	Effective ACE	ACE is inherited but without inheritance flags. ACE is an Effective ACE	ACE is not inherited.
ADS_ACEFLAG_INHERIT_ACE \| ADS_ACEFLAG_INHERIT_ONLY_ACE \| ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE	Not an Effective ACE.	ACE is inherited but without inheritance flags. ACE is an Effective ACE.	ACE is not inherited.