Don't overlook inheritance difference in W2K to W2K3

For the most part, the same skills you use working in Windows 2000 Server will transfer over to Windows Server 2003. However, there are a few hidden gotchas to watch out for. One of them involves how inheritance works.

Under Windows 2000 Server, inheritance is set to ON by default. Under Windows Server 2003, inheritance is set to OFF by default.

This may at first seem like a simple and insignificant change, but it has serious implications. Inheritance is the concept whereby child objects -- such as folders and files on a storage device or OUs (organizational units) and objects within Active Directory -- take on the security configurations of their parent containers.

As we work with various parent-child structures, we have been trained to assume that inheritance always takes place. However, under Windows Server 2003, Active Directory has been reconfigured so that inheritance is not enabled by default. Thus, you must intentionally enable the inheritance feature or manually configure all security settings for every object throughout your directory structure.

If you find you can't access resources under Windows Server 2003 that you assumed would be accessible as they were under Windows 2000 Server, one of the troubleshooting steps you should take is to evaluate the inheritance settings and subsequent permission settings on various AD objects. You may be surprised how much you rely on inheritance to simplify your administrative tasks.


Requires Free Membership to View

the moral of this story is if you want to use inheritance, you need to manually enable it as you work from the top-level parents down toward the lowest-level child objects throughout Active Directory. Otherwise, you'll be left administering a complex environment without it.


James Michael Stewart has co-authored numerous books on Microsoft, security certification and administration and is a regular speaker at Networld+Interop. Michael holds the following certifications: MCSE, MCT, CTT+, CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K and iNet+. He can be reached at michael@impactonline.com.

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.