By default, child objects such as files, inherit security permissions from a parent object, such as a folder. With inheritance, any changes to the parent's DACL are propagated to the child. 

		ÈExplicit PERMISSIONSÈ
	—	Inherited PERMISSIONS Child objects can also have explicit permissions

Inheritance can be disabled on any object by removing the check box labelled

• Allow inheritable permissions from parent to propagate to this object

The dialog to the right, appears when you disable inheritance.

Copying the parent permissions will give the same effective permissions after disabling inheritance. Removing the parent permissions will leave only the child's explicit permissions. Without inheritance, permission changes to the parent does not affect the child.

ACE Precedence

Examples

Assume for the following that JoeUser is a member of SalesGroup.

		ACE	Inherit	Effective permissions for JoeUser
		SalesGroup Full control	Explicit	Full control
	—	SalesGroup Full control	Inherited	Full control
	—	SalesGroup Full control	Inherited
		JoeUser Deny read	Explicit	Deny read

In both cases, the explicit rights take precedence over the inherited rights.

		ACE	Inherit	Effective permissions for JoeUser
		JoeUser Deny read	Explicit	Deny read
	—	JoeUser Deny read	Inherited	Deny read
	—	JoeUser Deny read	Inherited
		SalesGroup Full control	Explicit	Full control

Resetting Permissions on Child Objects

The Advanced Security Settings dialog has a check box labeled

• Replace permission entries on all child objects with entries shown here that apply to child objects

Checking this option will present the following dialog before removing explicit permissions on child objects.

Inheritance Propagation

The inheritance propagation of an ACE can be controlled within the Advanced Security Settings dialog. The Apply onto field provides the inheritance propagation options.