Odd inheritance problem on a directory

Windows2003 server sp2.......

It seems that there were at least 3 migrations of a directory from server to
server.
This appears to have left the directory structure permissions inconsistent.

I have some logins on various directory level, with no permissions higher in
the tree, telling me that I can't remove the login due to inheritance.

This is a production system, I don't really want to remove all permissions
and start over, I don't know what will break.
Is there a way to override the inheritance (there isn't any anyway for the
logins I need to remove.) for an individual login?

Any ideas? There are oh so many other issues I need to fix, but can't until
I fix this one.

I am not sure what you are saying? If the permissions are incorrect, some
with Change Permissions permissions can, well, change them.

Paul

"frankm" <> wrote in message
news:...
> Windows2003 server sp2.......
>
> It seems that there were at least 3 migrations of a directory from server
> to server.
> This appears to have left the directory structure permissions
> inconsistent.
>
> I have some logins on various directory level, with no permissions higher
> in the tree, telling me that I can't remove the login due to inheritance.
>
> This is a production system, I don't really want to remove all permissions
> and start over, I don't know what will break.
> Is there a way to override the inheritance (there isn't any anyway for the
> logins I need to remove.) for an individual login?
>
> Any ideas? There are oh so many other issues I need to fix, but can't
> until I fix this one.
>

"frankm" <> wrote in message
news:...
> Windows2003 server sp2.......
>
> It seems that there were at least 3 migrations of a directory from server
> to server.
> This appears to have left the directory structure permissions
> inconsistent.
>
> I have some logins on various directory level, with no permissions higher
> in the tree, telling me that I can't remove the login due to inheritance.
>
> This is a production system, I don't really want to remove all permissions
> and start over, I don't know what will break.
> Is there a way to override the inheritance (there isn't any anyway for the
> logins I need to remove.) for an individual login?

I don't understand what it is you are referring to as an "individual logon".
To me, a logon is an action, like when one logs on to a machine. Or are you
referring to user accounts as logons?

In either case, I don't know what it means to have "some logons on various
directory level", unless perhaps you are talking about permissions to users
on various folders.

Anyway, given permissions structure that is no longer organized in a
manageable way, I'd suggest that that almost any permissions change you make
has the potential of breaking *something*. That said, have you tried using
the advanced button from the security tab and then clearing the inherit from
parent checkbox?

/Al

> Any ideas? There are oh so many other issues I need to fix, but can't
> until I fix this one.
>

There are domain logins that have permissions at certain levels of the
directory tree, they do dot have any apparent parent entry. I cannot remove
them due to inheritance.




"Paul Baker [MVP, Windows Desktop Experience]"
<> wrote in message
news:ufHF%...
>I am not sure what you are saying? If the permissions are incorrect, some
>with Change Permissions permissions can, well, change them.
>
> Paul
>
> "frankm" <> wrote in message
> news:...
>> Windows2003 server sp2.......
>>
>> It seems that there were at least 3 migrations of a directory from server
>> to server.
>> This appears to have left the directory structure permissions
>> inconsistent.
>>
>> I have some logins on various directory level, with no permissions higher
>> in the tree, telling me that I can't remove the login due to inheritance.
>>
>> This is a production system, I don't really want to remove all
>> permissions and start over, I don't know what will break.
>> Is there a way to override the inheritance (there isn't any anyway for
>> the logins I need to remove.) for an individual login?
>>
>> Any ideas? There are oh so many other issues I need to fix, but can't
>> until I fix this one.
>>
>
>

There are domain logins that have permissions at certain levels of the
directory tree, they do dot have any apparent parent entry. I cannot remove
them due to inheritance.


"Al Dunbar" <> wrote in message
news:...
>
> "frankm" <> wrote in message
> news:...
>> Windows2003 server sp2.......
>>
>> It seems that there were at least 3 migrations of a directory from server
>> to server.
>> This appears to have left the directory structure permissions
>> inconsistent.
>>
>> I have some logins on various directory level, with no permissions higher
>> in the tree, telling me that I can't remove the login due to inheritance.
>>
>> This is a production system, I don't really want to remove all
>> permissions and start over, I don't know what will break.
>> Is there a way to override the inheritance (there isn't any anyway for
>> the logins I need to remove.) for an individual login?
>
> I don't understand what it is you are referring to as an "individual
> logon". To me, a logon is an action, like when one logs on to a machine.
> Or are you referring to user accounts as logons?
>
> In either case, I don't know what it means to have "some logons on various
> directory level", unless perhaps you are talking about permissions to
> users on various folders.
>
> Anyway, given permissions structure that is no longer organized in a
> manageable way, I'd suggest that that almost any permissions change you
> make has the potential of breaking *something*. That said, have you tried
> using the advanced button from the security tab and then clearing the
> inherit from parent checkbox?
>
> /Al
>
>> Any ideas? There are oh so many other issues I need to fix, but can't
>> until I fix this one.
>>
>
>

There are domain logins (translated: user accounts) that have permissions at
certain levels of the directory tree, they do dot have any apparent parent
entry. I cannot remove them due to inheritance.



"Al Dunbar" <> wrote in message
news:...
>
> "frankm" <> wrote in message
> news:...
>> Windows2003 server sp2.......
>>
>> It seems that there were at least 3 migrations of a directory from server
>> to server.
>> This appears to have left the directory structure permissions
>> inconsistent.
>>
>> I have some logins on various directory level, with no permissions higher
>> in the tree, telling me that I can't remove the login due to inheritance.
>>
>> This is a production system, I don't really want to remove all
>> permissions and start over, I don't know what will break.
>> Is there a way to override the inheritance (there isn't any anyway for
>> the logins I need to remove.) for an individual login?
>
> I don't understand what it is you are referring to as an "individual
> logon". To me, a logon is an action, like when one logs on to a machine.
> Or are you referring to user accounts as logons?
>
> In either case, I don't know what it means to have "some logons on various
> directory level", unless perhaps you are talking about permissions to
> users on various folders.
>
> Anyway, given permissions structure that is no longer organized in a
> manageable way, I'd suggest that that almost any permissions change you
> make has the potential of breaking *something*. That said, have you tried
> using the advanced button from the security tab and then clearing the
> inherit from parent checkbox?
>
> /Al
>
>> Any ideas? There are oh so many other issues I need to fix, but can't
>> until I fix this one.
>>
>
>

I still don't follow, but does it help to know that you do not HAVE to
inherit inheritable permissions?

Choose Advanced
Uncheck "Inherit from the parent..."
Click Copy.

Paul

"frankm" <> wrote in message
news:OXp2U8$...
> There are domain logins that have permissions at certain levels of the
> directory tree, they do dot have any apparent parent entry. I cannot
> remove them due to inheritance.
>
>
> "Al Dunbar" <> wrote in message
> news:...
>>
>> "frankm" <> wrote in message
>> news:...
>>> Windows2003 server sp2.......
>>>
>>> It seems that there were at least 3 migrations of a directory from
>>> server to server.
>>> This appears to have left the directory structure permissions
>>> inconsistent.
>>>
>>> I have some logins on various directory level, with no permissions
>>> higher in the tree, telling me that I can't remove the login due to
>>> inheritance.
>>>
>>> This is a production system, I don't really want to remove all
>>> permissions and start over, I don't know what will break.
>>> Is there a way to override the inheritance (there isn't any anyway for
>>> the logins I need to remove.) for an individual login?
>>
>> I don't understand what it is you are referring to as an "individual
>> logon". To me, a logon is an action, like when one logs on to a machine.
>> Or are you referring to user accounts as logons?
>>
>> In either case, I don't know what it means to have "some logons on
>> various directory level", unless perhaps you are talking about
>> permissions to users on various folders.
>>
>> Anyway, given permissions structure that is no longer organized in a
>> manageable way, I'd suggest that that almost any permissions change you
>> make has the potential of breaking *something*. That said, have you tried
>> using the advanced button from the security tab and then clearing the
>> inherit from parent checkbox?
>>
>> /Al
>>
>>> Any ideas? There are oh so many other issues I need to fix, but can't
>>> until I fix this one.
>>>
>>
>>
>
>

When I do that it removes ALL entries from the permissions and copied the
higher level.
I know this is normal.

My problem is that I want to "dis-inherit" so-to -speak, for just one of the
domain objects.
In this case it is a an individual user account.


"Paul Baker [MVP, Windows Desktop Experience]"
<> wrote in message
news:...
>I still don't follow, but does it help to know that you do not HAVE to
>inherit inheritable permissions?
>
> Choose Advanced
> Uncheck "Inherit from the parent..."
> Click Copy.
>
> Paul
>
> "frankm" <> wrote in message
> news:OXp2U8$...
>> There are domain logins that have permissions at certain levels of the
>> directory tree, they do dot have any apparent parent entry. I cannot
>> remove them due to inheritance.
>>
>>
>> "Al Dunbar" <> wrote in message
>> news:...
>>>
>>> "frankm" <> wrote in message
>>> news:...
>>>> Windows2003 server sp2.......
>>>>
>>>> It seems that there were at least 3 migrations of a directory from
>>>> server to server.
>>>> This appears to have left the directory structure permissions
>>>> inconsistent.
>>>>
>>>> I have some logins on various directory level, with no permissions
>>>> higher in the tree, telling me that I can't remove the login due to
>>>> inheritance.
>>>>
>>>> This is a production system, I don't really want to remove all
>>>> permissions and start over, I don't know what will break.
>>>> Is there a way to override the inheritance (there isn't any anyway for
>>>> the logins I need to remove.) for an individual login?
>>>
>>> I don't understand what it is you are referring to as an "individual
>>> logon". To me, a logon is an action, like when one logs on to a machine.
>>> Or are you referring to user accounts as logons?
>>>
>>> In either case, I don't know what it means to have "some logons on
>>> various directory level", unless perhaps you are talking about
>>> permissions to users on various folders.
>>>
>>> Anyway, given permissions structure that is no longer organized in a
>>> manageable way, I'd suggest that that almost any permissions change you
>>> make has the potential of breaking *something*. That said, have you
>>> tried using the advanced button from the security tab and then clearing
>>> the inherit from parent checkbox?
>>>
>>> /Al
>>>
>>>> Any ideas? There are oh so many other issues I need to fix, but can't
>>>> until I fix this one.
>>>>
>>>
>>>
>>
>>
>
>

Frank,

We will have to try to use proper terminology to avoid confusion.

"When I do that it removes ALL entries from the permissions and copied the
higher level" - I take this to mean that when you do this, it no longer
inherits (or copies) ALL Access Control Entries (ACEs) from the
Discretionary Access Control List (DACL) of a parent.

"My problem is that I want to "dis-inherit" so-to -speak, for just one of
the domain objects. In this case it is a an individual user account" - I
tahe this to mean that there is just one inheritable ACE that you do not
wish to inherit, and that the Security Identifier (SID) associated with it
is that of a user.

This is certainly not possible in the user interface. I am not certain, but
my research of the documentation would suggest that this "disinheriting"
behaviour is specified using the PROTECTED_DACL_SECURITY_INFORMATION flag
which is specific to the object and therefore cannot be done at the ACE
level.

SECURITY_INFORMATION Data Type:
http://msdn.microsoft.com/en-us/libr...73(VS.85).aspx

Paul

"frankm" <> wrote in message
news:...
> When I do that it removes ALL entries from the permissions and copied the
> higher level.
> I know this is normal.
>
> My problem is that I want to "dis-inherit" so-to -speak, for just one of
> the domain objects.
> In this case it is a an individual user account.
>
>
> "Paul Baker [MVP, Windows Desktop Experience]"
> <> wrote in message
> news:...
>>I still don't follow, but does it help to know that you do not HAVE to
>>inherit inheritable permissions?
>>
>> Choose Advanced
>> Uncheck "Inherit from the parent..."
>> Click Copy.
>>
>> Paul
>>
>> "frankm" <> wrote in message
>> news:OXp2U8$...
>>> There are domain logins that have permissions at certain levels of the
>>> directory tree, they do dot have any apparent parent entry. I cannot
>>> remove them due to inheritance.
>>>
>>>
>>> "Al Dunbar" <> wrote in message
>>> news:...
>>>>
>>>> "frankm" <> wrote in message
>>>> news:...
>>>>> Windows2003 server sp2.......
>>>>>
>>>>> It seems that there were at least 3 migrations of a directory from
>>>>> server to server.
>>>>> This appears to have left the directory structure permissions
>>>>> inconsistent.
>>>>>
>>>>> I have some logins on various directory level, with no permissions
>>>>> higher in the tree, telling me that I can't remove the login due to
>>>>> inheritance.
>>>>>
>>>>> This is a production system, I don't really want to remove all
>>>>> permissions and start over, I don't know what will break.
>>>>> Is there a way to override the inheritance (there isn't any anyway for
>>>>> the logins I need to remove.) for an individual login?
>>>>
>>>> I don't understand what it is you are referring to as an "individual
>>>> logon". To me, a logon is an action, like when one logs on to a
>>>> machine. Or are you referring to user accounts as logons?
>>>>
>>>> In either case, I don't know what it means to have "some logons on
>>>> various directory level", unless perhaps you are talking about
>>>> permissions to users on various folders.
>>>>
>>>> Anyway, given permissions structure that is no longer organized in a
>>>> manageable way, I'd suggest that that almost any permissions change you
>>>> make has the potential of breaking *something*. That said, have you
>>>> tried using the advanced button from the security tab and then clearing
>>>> the inherit from parent checkbox?
>>>>
>>>> /Al
>>>>
>>>>> Any ideas? There are oh so many other issues I need to fix, but can't
>>>>> until I fix this one.
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

I apologize for not using proper terminology.
As I am not an AD admin, I don't have that direct and experienced frame of
reference.
In trying to research the issue on my own, it was difficult to find exactly
what I needed,
In part due to the terminology issue (text searches are only as good as the
text you enter).
So, I went to the experts to help me translate.

Thank you for you answer. It looks like I will just have to go through a
couple of hundred folders, see what ther perms are and break inheritance and
copy from the higher levels. Then go back an apply the necessary
permissions.




"Paul Baker [MVP, Windows Desktop Experience]"
<> wrote in message
news:%...
> Frank,
>
> We will have to try to use proper terminology to avoid confusion.
>
> "When I do that it removes ALL entries from the permissions and copied the
> higher level" - I take this to mean that when you do this, it no longer
> inherits (or copies) ALL Access Control Entries (ACEs) from the
> Discretionary Access Control List (DACL) of a parent.
>
> "My problem is that I want to "dis-inherit" so-to -speak, for just one of
> the domain objects. In this case it is a an individual user account" - I
> tahe this to mean that there is just one inheritable ACE that you do not
> wish to inherit, and that the Security Identifier (SID) associated with it
> is that of a user.
>
> This is certainly not possible in the user interface. I am not certain,
> but my research of the documentation would suggest that this
> "disinheriting" behaviour is specified using the
> PROTECTED_DACL_SECURITY_INFORMATION flag which is specific to the object
> and therefore cannot be done at the ACE level.
>
> SECURITY_INFORMATION Data Type:
> http://msdn.microsoft.com/en-us/libr...73(VS.85).aspx
>
> Paul
>
> "frankm" <> wrote in message
> news:...
>> When I do that it removes ALL entries from the permissions and copied the
>> higher level.
>> I know this is normal.
>>
>> My problem is that I want to "dis-inherit" so-to -speak, for just one of
>> the domain objects.
>> In this case it is a an individual user account.
>>
>>
>> "Paul Baker [MVP, Windows Desktop Experience]"
>> <> wrote in message
>> news:...
>>>I still don't follow, but does it help to know that you do not HAVE to
>>>inherit inheritable permissions?
>>>
>>> Choose Advanced
>>> Uncheck "Inherit from the parent..."
>>> Click Copy.
>>>
>>> Paul
>>>
>>> "frankm" <> wrote in message
>>> news:OXp2U8$...
>>>> There are domain logins that have permissions at certain levels of the
>>>> directory tree, they do dot have any apparent parent entry. I cannot
>>>> remove them due to inheritance.
>>>>
>>>>
>>>> "Al Dunbar" <> wrote in message
>>>> news:...
>>>>>
>>>>> "frankm" <> wrote in message
>>>>> news:...
>>>>>> Windows2003 server sp2.......
>>>>>>
>>>>>> It seems that there were at least 3 migrations of a directory from
>>>>>> server to server.
>>>>>> This appears to have left the directory structure permissions
>>>>>> inconsistent.
>>>>>>
>>>>>> I have some logins on various directory level, with no permissions
>>>>>> higher in the tree, telling me that I can't remove the login due to
>>>>>> inheritance.
>>>>>>
>>>>>> This is a production system, I don't really want to remove all
>>>>>> permissions and start over, I don't know what will break.
>>>>>> Is there a way to override the inheritance (there isn't any anyway
>>>>>> for the logins I need to remove.) for an individual login?
>>>>>
>>>>> I don't understand what it is you are referring to as an "individual
>>>>> logon". To me, a logon is an action, like when one logs on to a
>>>>> machine. Or are you referring to user accounts as logons?
>>>>>
>>>>> In either case, I don't know what it means to have "some logons on
>>>>> various directory level", unless perhaps you are talking about
>>>>> permissions to users on various folders.
>>>>>
>>>>> Anyway, given permissions structure that is no longer organized in a
>>>>> manageable way, I'd suggest that that almost any permissions change
>>>>> you make has the potential of breaking *something*. That said, have
>>>>> you tried using the advanced button from the security tab and then
>>>>> clearing the inherit from parent checkbox?
>>>>>
>>>>> /Al
>>>>>
>>>>>> Any ideas? There are oh so many other issues I need to fix, but can't
>>>>>> until I fix this one.
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>