Why does Windows process all NTFS child objects when changing a parent’s ACL?











up vote
6
down vote

favorite
1












Why does Windows process all NTFS child objects when changing a parent’s ACL?



I would expect this behavior if I had checked the “Replace all child object permissions...” box, but even when that box is left unchecked, Windows will process all the children.










share|improve this question


















  • 1




    Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
    – Ben
    5 hours ago

















up vote
6
down vote

favorite
1












Why does Windows process all NTFS child objects when changing a parent’s ACL?



I would expect this behavior if I had checked the “Replace all child object permissions...” box, but even when that box is left unchecked, Windows will process all the children.










share|improve this question


















  • 1




    Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
    – Ben
    5 hours ago















up vote
6
down vote

favorite
1









up vote
6
down vote

favorite
1






1





Why does Windows process all NTFS child objects when changing a parent’s ACL?



I would expect this behavior if I had checked the “Replace all child object permissions...” box, but even when that box is left unchecked, Windows will process all the children.










share|improve this question













Why does Windows process all NTFS child objects when changing a parent’s ACL?



I would expect this behavior if I had checked the “Replace all child object permissions...” box, but even when that box is left unchecked, Windows will process all the children.







windows ntfs






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 12 hours ago









Corey

80292746




80292746








  • 1




    Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
    – Ben
    5 hours ago
















  • 1




    Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
    – Ben
    5 hours ago










1




1




Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
– Ben
5 hours ago






Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
– Ben
5 hours ago












3 Answers
3






active

oldest

votes

















up vote
8
down vote













Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.






share|improve this answer




























    up vote
    3
    down vote













    By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



    The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.






    share|improve this answer




























      up vote
      3
      down vote













      In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



      In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



      Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.






      share|improve this answer





















        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "2"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














         

        draft saved


        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f940636%2fwhy-does-windows-process-all-ntfs-child-objects-when-changing-a-parent-s-acl%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes








        up vote
        8
        down vote













        Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



        The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.






        share|improve this answer

























          up vote
          8
          down vote













          Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



          The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.






          share|improve this answer























            up vote
            8
            down vote










            up vote
            8
            down vote









            Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



            The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.






            share|improve this answer












            Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



            The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 11 hours ago









            Appleoddity

            1,8741314




            1,8741314
























                up vote
                3
                down vote













                By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



                The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.






                share|improve this answer

























                  up vote
                  3
                  down vote













                  By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



                  The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.






                  share|improve this answer























                    up vote
                    3
                    down vote










                    up vote
                    3
                    down vote









                    By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



                    The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.






                    share|improve this answer












                    By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



                    The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 12 hours ago









                    joeqwerty

                    94.5k462147




                    94.5k462147






















                        up vote
                        3
                        down vote













                        In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



                        In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



                        Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.






                        share|improve this answer

























                          up vote
                          3
                          down vote













                          In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



                          In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



                          Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.






                          share|improve this answer























                            up vote
                            3
                            down vote










                            up vote
                            3
                            down vote









                            In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



                            In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



                            Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.






                            share|improve this answer












                            In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



                            In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



                            Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered 4 hours ago









                            John Rennie

                            7,30311829




                            7,30311829






























                                 

                                draft saved


                                draft discarded



















































                                 


                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f940636%2fwhy-does-windows-process-all-ntfs-child-objects-when-changing-a-parent-s-acl%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                'app-layout' is not a known element: how to share Component with different Modules

                                android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

                                WPF add header to Image with URL pettitions [duplicate]