When working with NTFS permissions in Windows, inheritance flags determine how access control entries (ACEs) propagate through the file system hierarchy. The two fundamental flags are:
(OI) - Object Inherit
(CI) - Container Inherit
Object Inheritance (OI): This flag indicates that the ACE should be inherited by non-container objects (files) within the directory. When applied, files created in the parent folder will inherit the permission.
Container Inheritance (CI): This flag specifies that the ACE should be inherited by container objects (subfolders). New subdirectories will automatically receive these permissions.
Here are typical scenarios where you'd use these flags with icacls.exe:
# Grant read access to files only (OI only)
icacls target_folder /grant:r "Domain\Users:(OI)(RX)"
# Grant full control to subfolders only (CI only)
icacls target_folder /grant:r "Domain\Admins:(CI)(F)"
# Combined inheritance for both files and folders
icacls target_folder /grant:r "Domain\Team:(OI)(CI)(M)"
Let's say we need to configure permissions for a software project:
# Base permissions for the project root
icacls "C:\Projects\AppX" /inheritance:d
icacls "C:\Projects\AppX" /grant:r "DEV\Lead:(CI)(F)"
icacls "C:\Projects\AppX" /grant:r "DEV\Team:(OI)(CI)(M)"
icacls "C:\Projects\AppX" /grant:r "QA\Team:(OI)(RX)"
# This results in:
# - Lead gets full control of all folders
# - Dev team can modify all content
# - QA can read files but not folders
The inheritance flags work differently when combined:
- (OI) alone = affects only files
- (CI) alone = affects only subfolders
- (OI)(CI) = affects both files and subfolders
- No flags = affects only the immediate object
Remember that inheritance only applies to newly created objects - existing items require the /T switch for recursive application.
When permissions aren't propagating as expected:
# Check effective inheritance flags
icacls problematic_folder
# Reset and reapply inheritance
icacls folder /reset
icacls folder /grant:r "User:(OI)(CI)(permissions)"
When working with NTFS permissions through tools like icacls.exe, two crucial inheritance flags appear frequently:
(OI) - object inherit
(CI) - container inherit
Object Inheritance (OI): This flag indicates that ACEs should propagate to non-container objects (files) within the directory. For example:
icacls C:\Data /grant:r "Users:(OI)(RX)"Container Inheritance (CI): This flag controls inheritance for subdirectories (containers). Sample usage:
icacls C:\Data /grant:r "Admins:(CI)(M)"These flags often work together:
(OI)(CI)- Full inheritance (both files and subdirectories)(OI)- Files only(CI)- Subfolders only
Here's a complete example setting permissions with inheritance:
# Grant read-execute to files, modify to subfolders
icacls D:\Projects /grant:r "Developers:(OI)(RX)"
icacls D:\Projects /grant:r "TeamLeads:(CI)(M)"
# Block inheritance on sensitive folder
icacls D:\Projects\Confidential /inheritance:dWhen troubleshooting inheritance issues, check effective permissions with:
icacls "C:\Path" /t /c /l /qRemember that inheritance processing follows these steps:
- Evaluate explicit permissions
- Apply inherited permissions
- Resolve conflicts (deny takes precedence)