2.5.3.5 Setting the INHERITED_ACE Flag
ACEs are usually contained in ACLs (see section 2.4.5) with the INHERITED_ACE flag in an ACE set as part of comparing the ACEs in a parent ACL and a child ACL. If an ACE is present in both the parent ACL and the child ACL, the INHERITED_ACE flag is set in the child ACE if the ACEs are equal:
If either ACE is NULL, the ACEs are not equal.
If the AceType of the ACEs are different, they are not equal.
If the parent AceFlags anded with not INHERITED_ACE are not equal to the child AceFlags, it is a special case where there may be an additional ACE that was created:
If the ACE is a child of a container, parent flags are set, there is a following ACE, the child ACE flags are not set, and INHERIT_ONLY is set in the parent ACE, then for
ACCESS_ALLOWED_ACE_TYPE, ACCESS_DENIED_ACE_TYPE, SYSTEM_AUDIT_ACE_TYPE, SYSTEM_ALARM_ACE_TYPE, skip the current ACE if the masks are equal in the parent ACE and the next child ACE, and their SIDs are equal, and compare this next ACE to the parent ACE.
Otherwise, the ACEs are not equal.
If the parent and child flags are not equal, the ACEs are not equal.
If the ACE_TYPE_OBJECT_PRESENT is set in the parent ACE, but the parent and child ACE GUIDs are not equal, the ACEs are not equal.
If the ACE_INHERITED_OBJECT_TYPE_PRESENT is set in the parent ACE, but the parent and child ACE GUIDs are not equal, the ACEs are not equal.
If ACCESS_ALLOWED_COMPOUND_ACE_TYPE is set in the parent ACE, but the compound ACE types are not equal in the parent and child ACEs, the ACEs are not equal.
If either the parent or child ACE SIDs are not valid, or the two are not equal, the ACEs are not equal.
If the parent and child ACE access masks are not equal, the ACEs are not equal.