You are currently offline, waiting for your internet to reconnect

Installing Security Configuration Manager from SP4 Changes Windows NT 4.0 ACL Editor

This article was previously published under Q195509
This article has been archived. It is offered "as is" and will no longer be updated.
After you install Security Configuration Manager for Windows NT 4.0 ServicePack 4, the Access Control List (ACL) editor is modified.
Because Security Configuration Manager was originally designed for Windows2000, the Windows 2000 ACL Inheritance infrastructure was also back-portedto Windows NT 4.0 and is available when the Security Configuration Manageris installed. This is most readily apparent when setting security throughWindows NT Explorer after Security Configuration Manager is installed. Whenthe Security tab is selected from a file system object's Properties dialogbox, the Windows 2000 ACL Editor is exposed on the Windows NT 4.0 computer.
The Windows 2000 ACL inheritance model is characterized most significantlyby its dynamic rather than static nature. By default, permissions on childobjects are automatically inherited from their parent. This is specified bythe check box labeled Allow Inheritable Permissions from the parent topropagate to this object available on the first page of the ACL Editordialog box. When checked, the inheritable permissions defined on the parentobject are automatically applied to the child object and cannot be changedat the child object.

The degree to which a permission is inheritable is defined by the Apply Todialog box exposed on the Advanced page of the ACL Editor dialog. Forexample, assume the following directory structure:
   \Parent          |___Child				

If the Everyone group has Full Control permissions on the Parent directoryand these permissions apply to this folder, subfolders and files, Everyonewill also have Full Control on the Child directory as long as the Childdirectory Allows inheritable permissions from parent to propagate to thisobject. This permission on the Child directory cannot be modified on theChild object itself as long as the Allow inheritable permissions fromparent to propagate to this object is checked. If permissions on the Parentare changed so that Everyone has Read Only, this modification will alsoimpact the Child directory automatically. If the inheritance properties forthe Everyone group is modified on the Parent directory so that thepermission apply only to this folder, Everyone will automatically beremoved from the Child directory.

An administrator can define additional permissions on a child object beyondthose that are automatically being inherited. Such permissions are calledExplicit and can be modified on the child object itself at any time.

If an administrator does not want a child object to inherit from itsparent, then the Allow inheritable permissions from parent to propagate tothis object should be cleared. When cleared, the child object is said to beProtected. At the time the child object is protected, the ACL editor willask the administrator what should be done with the permissions that arecurrently being inherited. These inherited permissions can be copied to thechild object or removed altogether. When an object is protected, itcontains only Explicit permissions. Note that the child objects withWindows NT 4.0-style permissions that are not consistent with theinheritable permissions defined on the parent are automatically protectedunder the new ACL inheritance.

Security Configuration Manager allows administrators to override the normalbehavior of the ACL inheritance model by specifying that all child objectsof a given object should be reconfigured whether they are protected or not.In fact, this is the only mode of operation that is supported in theWindows NT 4.0 version of Security Configuration Manager and is specifiedby selecting the Overwrite radio button when defining the security of aFile System or Registry object through Security Configuration Manager.

In Overwrite mode, all children of the specified object are set to inheritfrom the object whose security is being defined. To specify differentsecurity settings for child objects, those child objects must be explicitlyadded to the security configuration file. These child objects may beprotected, in which case the object is not impacted by the security of itsparent, or the child objects may inherit, in which case additional explicitpermissions may be defined on the child object. Finally, for child objectsthat the administrator does not wish to touch, those child objects shouldbe added to the security configuration file with the Ignore, rather thanOverwrite, attribute.

SCM is available for download and in the Mssce folder on your Windows NT4.0 Service Pack 4 CD-ROM. For more information on downloading SCM, pleasesee the following article in the Microsoft Knowledge Base:

195227SP4 Security Configuration Manager Available for Download

Known Issues with the New Permissions Editor

  • The new Permissions Editor is not exposed when using Regedt32.exe; however, it is used by Security Configuration Manager when configuring security for registry keys.
  • Permissions edited using the new editor are not viewable using the old editor. This is because the old editor is limited in terms of its capabilities to display and edit different kinds of valid permissions. The old editor works only with permissions that are very simple or have been edited using itself.

Uninstalling the New Permissions Editor

Uninstalling the new Permissions Editor is not recommended because it willrender Security Configuration Manager nonfunctional. If you must uninstallit, perform the following steps:

  1. Go to the %windir%\System32.
  2. Rename Rshx32_5.dll to Rshx32_5.sav.
  3. Rename Rshx32.dll to Rshx32_5.dll.
Start Windows NT Explorer and look at the properties on an NTFS file orfolder. The old Permissions Editor should appear on the Security tab.

After reinstalling the old editor, you must examine the security on allfiles and folders that you may have edited with the new editor. This willdisplay an error message stating that the permissions are not viewable andwill give you the opportunity to reset them and redefine new permissions.
4.00 sp4 acl editor overwrite sce inheritance access control list

Article ID: 195509 - Last Review: 10/11/2013 15:39:23 - Revision: 2.2

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition, Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT 4.0 Service Pack 4

  • kbnosurvey kbarchive kbinfo KB195509