Directory Services

Inheritance and Delegation of Administration

Active Directory supports inheritance of permissions down the object tree to allow administration to be done at higher levels in the tree. This allows administrators to set up inheritable permissions on objects near the root (such as domain and organizational units) and have those permissions flow down automatically to various objects in the tree.

Inheritance can be set on a per-ACE basis. You can specify the following flags in the AceFlags to control inheritance of the ACE:

ADS_ACEFLAG_INHERIT_ACE This flag causes the ACE to be inherited down in the tree.
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE This flag causes the ACE to be inherited down only one level in the tree.
ADS_ACEFLAG_INHERIT_ONLY_ACE This flag causes the ACE to be ignored on the object it is specified on and only be inherited down and be effective where it has been inherited.

In addition to setting inheritance, Active Directory supports object specific inheritance. This allows the inheritable ACEs to be inherited down the tree but be effective only on a specific type of object. This is extremely useful in delegating administration. For example, this can be used to set an object specific inheritable ACE at an organizational unit that allows a group to have full control on all user objects in the organizational unit but nothing else. Thereby, the management of users in that organizational unit gets delegated to the users in that group.