Why does Windows process all NTFS child objects when changing a parent’s ACL?











up vote
6
down vote

favorite
1












Why does Windows process all NTFS child objects when changing a parent’s ACL?



I would expect this behavior if I had checked the “Replace all child object permissions...” box, but even when that box is left unchecked, Windows will process all the children.






windows ntfs







share|improve this question


















  • 1




    Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
    – Ben
    5 hours ago

















up vote
6
down vote

favorite
1












Why does Windows process all NTFS child objects when changing a parent’s ACL?



I would expect this behavior if I had checked the “Replace all child object permissions...” box, but even when that box is left unchecked, Windows will process all the children.






windows ntfs







share|improve this question


















  • 1




    Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
    – Ben
    5 hours ago















up vote
6
down vote

favorite
1









up vote
6
down vote

favorite
1






1





Why does Windows process all NTFS child objects when changing a parent’s ACL?



I would expect this behavior if I had checked the “Replace all child object permissions...” box, but even when that box is left unchecked, Windows will process all the children.






windows ntfs







share|improve this question













Why does Windows process all NTFS child objects when changing a parent’s ACL?



I would expect this behavior if I had checked the “Replace all child object permissions...” box, but even when that box is left unchecked, Windows will process all the children.






windows ntfs




windows ntfs






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 12 hours ago









Corey

80292746




80292746








  • 1




    Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
    – Ben
    5 hours ago
















  • 1




    Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
    – Ben
    5 hours ago










1




1




Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
– Ben
5 hours ago






Note that this is done by the Windows shell, not by the Win32 subsystem, kernel or ntfs driver. If you change the acl on a directory programattically using SetSecurityInfo changes don't propagate to children automatically, it is your responsibility to make it happen. Or use IFileOperation.
– Ben
5 hours ago












3 Answers
3






active

oldest

votes

















up vote
8
down vote













Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.






share|improve this answer




























    up vote
    3
    down vote













    By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



    The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.






    share|improve this answer




























      up vote
      3
      down vote













      In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



      In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



      Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.






      share|improve this answer





















        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "2"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














         

        draft saved


        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f940636%2fwhy-does-windows-process-all-ntfs-child-objects-when-changing-a-parent-s-acl%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes








        up vote
        8
        down vote













        Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



        The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.






        share|improve this answer

























          up vote
          8
          down vote













          Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



          The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.






          share|improve this answer























            up vote
            8
            down vote










            up vote
            8
            down vote









            Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



            The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.






            share|improve this answer












            Any child object that is configured to inherit it’s permissions from the parent object will need to be processed. Explicitly defined permissions on the child objects are not affected.



            The option, “Replace permissions on all child objects,” will not only propagate the permissions to all child objects but it will also remove and replace any explicitly defined permissions on all child objects.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 11 hours ago









            Appleoddity

            1,8741314




            1,8741314
























                up vote
                3
                down vote













                By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



                The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.






                share|improve this answer

























                  up vote
                  3
                  down vote













                  By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



                  The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.






                  share|improve this answer























                    up vote
                    3
                    down vote










                    up vote
                    3
                    down vote









                    By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



                    The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.






                    share|improve this answer












                    By default, child folders inherit permissions from the parent folder. Assuming the default scope when you're adding/modifying permissions on the parent folder (this folder, subfolders and files) then all child folders will be updated to reflect the permissions change at the parent.



                    The checkbox you're referring to is a "one time" operation that will remove all explicitly defined permissions on all child folders and replace them with inheritable permissions from the parent and will re-enable permissions inheritance on the child folders.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 12 hours ago









                    joeqwerty

                    94.5k462147




                    94.5k462147






















                        up vote
                        3
                        down vote













                        In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



                        In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



                        Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.






                        share|improve this answer

























                          up vote
                          3
                          down vote













                          In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



                          In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



                          Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.






                          share|improve this answer























                            up vote
                            3
                            down vote










                            up vote
                            3
                            down vote









                            In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



                            In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



                            Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.






                            share|improve this answer












                            In Windows file permissions are not dynamically inherited. That is, when an attempt is made to open a file Windows only looks at the ACL of that file and not at the ACLs of the directories in the tree containing the file. That means when you change the ACL of a directory Windows has to immediately update the permissions of all files and subdirectories within the affected directory.



                            In Windows the inherit setting in an ACL does not indicate any form of dynamic inheritance. It is just a flag to indicate that when a parent directory's ACL is modified all files and subdirectories in the tree that have the inherit flag set must also be updated.



                            Those of us old enough to remember Novell NetWare will remember this was one of the big differences from NetWare because in NetWare inheritance of permissions is (was?) dynamic. There was much debate at the time about which approach was better, though history has rendered the issue moot. Dynamic ACLs require the OS to check the ACLs of every parent directory at the time an attempt is made to open the file, but changing ACLs is quick. In Windows opening file requires only a single ACL to be checked, but as you've found it means changing a directory ACL can be slow.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered 4 hours ago









                            John Rennie

                            7,30311829




                            7,30311829






























                                 

                                draft saved


                                draft discarded



















































                                 


                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f940636%2fwhy-does-windows-process-all-ntfs-child-objects-when-changing-a-parent-s-acl%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                Can a sorcerer learn a 5th-level spell early by creating spell slots using the Font of Magic feature?

                                Image
                                28 6 $begingroup$ Per the Font of Magic feature, sorcerer can use Flexible Casting to create 5th-level spell slots at level 7, even though they are not typically available until level 9. You can transform unexpended sorcery points into one spell slot as a bonus action on your turn. The Creating Spell Slots table shows the cost of creating a spell slot of [5th level is 7] If such a sorcerer levels up while still having this 5th-level spell slot, can they choose a 5th-level spell as the spell they gain upon levelling up? The Spellcasting feature states: Additionally, when you gain a level in this class, you can choose one of the sorcerer spells you know and replace it with another spell from the sorcerer spell list, which also must be of a level for which you have spell slots.
                                Read more

                                Does disintegrating a polymorphed enemy still kill it after the 2018 errata?

                                Image
                                up vote 13 down vote favorite 1 After the 2018 errata, the disintegrate spell description now reads: A creature targeted by this spell must make a Dexterity saving throw. On a failed save, the target takes 10d6 + 40 force damage. The target is disintegrated if this damage leaves it with 0 hit points. If you were to polymorph an enemy into a rat and then disintegrate it, would the enemy be disintegrated or would it just return to its original form? I know that for Druids, it’s not an instant kill anymore, but is this the case for polymorph as well? dnd-5e spells polymorph errata share | improve this question edited 18 hours ago
                                Read more

                                A Topological Invariant for $pi_3(U(n))$

                                Image
                                3 3 $begingroup$ Recently, I saw a construction of topological invariant for $pi_3(U(n))$ with $ngeq 2$ : $$ N=frac{1}{24pi^2}int_{S^3} d^3x epsilon^{ijk} Tr[(U^{-1}partial_{x_i}U)(U^{-1}partial_{x_j}U)(U^{-1}partial_{x_k}U)] , $$ where $Uin U(n)$ depends on $boldsymbol{x}=(x_1,x_2,x_3)in S^3$ , $epsilon^{ijk}$ is the Levi-Civita symbol, $i,j,k=1,2,3$ , and the duplicated indexes are summed over. It is claimed that $N$ is an integer, but why? Update 02/02/2019 I think I got an argument for $n=2$ . In this case, $U=e^{i varphi} q$ with $qin SU(2)$ . Due to the trace and the Levi-Civita symbol in $N$ , $varphi$ does not contribute to $N$ . As $Tr[q^{dagger}partial_i q]=0$ and $(q^{dagger}partial_i q)^{dagger}=-q^{dagger}partial_i q$ , $q^{dagger}partial_i q$ in geneeral has the form $q^{dagger}partia
                                Read more