New Item Descriptor Inheritance
The document is archived and information here might be outdated

New Item Descriptor Inheritance

Exchange Server 2003

New Item Descriptor Inheritance

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

When new items are created in folders, they are secured using the access control entries (ACEs) present in the subitem_inheritable_aces section of the parent folder's discretionary access control list (ACL). In a sense, the item inherits a "virtual" descriptor from its parent folder. If the parent folder's descriptor changes, the item automatically inherits the changes.

When you set the descriptor for an item, the "virtual" inheritance is no longer used, and the item's descriptor is used to control access. Therefore, if you make changes to the parent folder's descriptor, items that have had their descriptors set directly do not inherit these changes.

The default behavior described in the preceding paragraphs emulates the folder-based access control system used in earlier versions of Microsoft® Exchange. The drawback to using parent-folder inheritance for items is that the access rights granted or denied to trustees apply uniformly to all items within a given folder that have not had their associated descriptors explicitly set.

© 2016 Microsoft