Re: Confusion over IO (Inherit Only) ACE on Vista

1. The adding of the BUILTIN\Administrators:(F) ACL to every sub-folder on
Windows Server is done because inheritance might break, but it should not
break in the first place!

I agree. I'm also interested in why some inheritances break on your side. Do
your clients have the permission to set their folders or subfolders to not
inherit from the parent object? Does the break happen to many folders or
just few?

One thing I noticed while experimenting with this, is that if I set an
inheritable ACE at the top of a big tree of folders and files, there's a
long delay, and it seems the ACE has to be applied to every folder and
file below the root? I find this odd, because I thought inheritance was
supposed to solve the performance problems of having to apply the ACE all
the way down the tree...

It is because the ACEs of every nodes/subnodes under the root are being
reset to the new list. A simple & quick "inheritance" cannot solve the
problem because some sub-nodes may be set to not inherit ACE from the parent
object. The system needs to traverse every nodes, remove the "not inhert"
settings, and set the new values.

In addition, I just replied to your another thread "Delete File - Bypass
NTFS?", where you can find a solution to remove those folders without
resetting their ACEs.

Have a very nice day!

Regards,
Jialiang Ge (jialge@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================


.

Relevant Pages

  • Re: programmatically change permissions on folder in windows?
    ... as seen in the Adv / Edit drill-in, then the new ACE ... if inheritance is blocked at some ... > programmatically change permissions on folder in windows ... > Then folder> security> Advanced> Permissions> Replace permission entries ...
    (microsoft.public.win2000.security)
  • Verifying if ntfs files/folders rights are inherited or not...
    ... folders where inheritance have been removed or altered with explicit ntfs ... I don't know how to manipulate the ace flags to know if the ... For child objects that are containers, ... ' Retrieve the content of Win32_SecurityDescriptor DACL property. ...
    (microsoft.public.scripting.vbscript)
  • [PATCH 002 of 9] knfsd: nfsd4: relax checking of ACL inheritance bits
    ... The rfc allows us to be more permissive about the ACL inheritance bits we ... "If the server supports a single "inherit ACE" flag that applies to ... Let's take the latter option--the ACL is a complex attribute that could be ...
    (Linux-Kernel)
  • Re: Enum only files/folders where explicit NTFS rights have been s
    ... What I found is that the bit (inheritance requested, ace inherited, etc. ... AccessEnum "differ from parent" feature is not so much evolved, ... only comparing effectives rights listing to the parent rights listing, ...
    (microsoft.public.security)
  • Re: GetEffectivePermissions and Implementing DACL Inheritence
    ... There have been changes in the semantics of ACE ordering within ACLs, ... inherited vs explicit deny was first defined, so that correct is deny, ... > permission inheritance and sddl syntax in the msdn library. ...
    (microsoft.public.security)