RegistryAccessRule Constructors
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Initializes a new instance of the RegistryAccessRule class.
Overloads
| RegistryAccessRule(IdentityReference, RegistryRights, AccessControlType) |
Initializes a new instance of the RegistryAccessRule class, specifying the user or group the rule applies to, the access rights, and whether the specified access rights are allowed or denied. |
| RegistryAccessRule(String, RegistryRights, AccessControlType) |
Initializes a new instance of the RegistryAccessRule class, specifying the name of the user or group the rule applies to, the access rights, and whether the specified access rights are allowed or denied. |
| RegistryAccessRule(IdentityReference, RegistryRights, InheritanceFlags, PropagationFlags, AccessControlType) |
Initializes a new instance of the RegistryAccessRule class, specifying the user or group the rule applies to, the access rights, the inheritance flags, the propagation flags, and whether the specified access rights are allowed or denied. |
| RegistryAccessRule(String, RegistryRights, InheritanceFlags, PropagationFlags, AccessControlType) |
Initializes a new instance of the RegistryAccessRule class, specifying the name of the user or group the rule applies to, the access rights, the inheritance flags, the propagation flags, and whether the specified access rights are allowed or denied. |
RegistryAccessRule(IdentityReference, RegistryRights, AccessControlType)
- Source:
- RegistrySecurity.cs
Initializes a new instance of the RegistryAccessRule class, specifying the user or group the rule applies to, the access rights, and whether the specified access rights are allowed or denied.
public:
RegistryAccessRule(System::Security::Principal::IdentityReference ^ identity, System::Security::AccessControl::RegistryRights registryRights, System::Security::AccessControl::AccessControlType type);public RegistryAccessRule (System.Security.Principal.IdentityReference identity, System.Security.AccessControl.RegistryRights registryRights, System.Security.AccessControl.AccessControlType type);new System.Security.AccessControl.RegistryAccessRule : System.Security.Principal.IdentityReference * System.Security.AccessControl.RegistryRights * System.Security.AccessControl.AccessControlType -> System.Security.AccessControl.RegistryAccessRulePublic Sub New (identity As IdentityReference, registryRights As RegistryRights, type As AccessControlType)Parameters
- identity
- IdentityReference
The user or group the rule applies to. Must be of type SecurityIdentifier or a type such as NTAccount that can be converted to type SecurityIdentifier.
- registryRights
- RegistryRights
A bitwise combination of RegistryRights values indicating the rights allowed or denied.
- type
- AccessControlType
One of the AccessControlType values indicating whether the rights are allowed or denied.
Exceptions
registryRights specifies an invalid value.
-or-
type specifies an invalid value.
identity is neither of type SecurityIdentifier nor of a type such as NTAccount that can be converted to type SecurityIdentifier.
Remarks
This constructor specifies default propagation and inheritance. That is, InheritanceFlags.None and PropagationFlags.None.
Applies to
RegistryAccessRule(String, RegistryRights, AccessControlType)
- Source:
- RegistrySecurity.cs
Initializes a new instance of the RegistryAccessRule class, specifying the name of the user or group the rule applies to, the access rights, and whether the specified access rights are allowed or denied.
public:
RegistryAccessRule(System::String ^ identity, System::Security::AccessControl::RegistryRights registryRights, System::Security::AccessControl::AccessControlType type);public RegistryAccessRule (string identity, System.Security.AccessControl.RegistryRights registryRights, System.Security.AccessControl.AccessControlType type);new System.Security.AccessControl.RegistryAccessRule : string * System.Security.AccessControl.RegistryRights * System.Security.AccessControl.AccessControlType -> System.Security.AccessControl.RegistryAccessRulePublic Sub New (identity As String, registryRights As RegistryRights, type As AccessControlType)Parameters
- identity
- String
The name of the user or group the rule applies to.
- registryRights
- RegistryRights
A bitwise combination of RegistryRights values indicating the rights allowed or denied.
- type
- AccessControlType
One of the AccessControlType values indicating whether the rights are allowed or denied.
Exceptions
registryRights specifies an invalid value.
-or-
type specifies an invalid value.
registryRights is zero.
identity is null.
-or-
identity is a zero-length string.
-or-
identity is longer than 512 characters.
Examples
The following code example creates registry access rules and adds them to a RegistrySecurity object, showing how rules that allow and deny rights remain separate, while compatible rules of the same kind are merged.
using System;
using Microsoft.Win32;
using System.Security.AccessControl;
using System.Security.Principal;
public class Example
{
public static void Main()
{
// Create a string representing the current user.
string user = Environment.UserDomainName + "\\"
+ Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user the
// right to read the key.
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Add a rule that denies the current user the
// right to change permissions on the Registry.
rule = new RegistryAccessRule(user,
RegistryRights.ChangePermissions,
AccessControlType.Deny);
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Add a rule that allows the current user the
// right to read permissions on the Registry. This
// rule is merged with the existing Allow rule.
rule = new RegistryAccessRule(user,
RegistryRights.WriteKey,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
ShowSecurity(mSec);
}
private static void ShowSecurity(RegistrySecurity security)
{
Console.WriteLine("\r\nCurrent access rules:\r\n");
foreach( RegistryAccessRule ar in
security.GetAccessRules(true, true, typeof(NTAccount)) )
{
Console.WriteLine(" User: {0}", ar.IdentityReference);
Console.WriteLine(" Type: {0}", ar.AccessControlType);
Console.WriteLine(" Rights: {0}", ar.RegistryRights);
Console.WriteLine();
}
}
}
/* This code example produces output similar to following:
Current access rules:
User: TestDomain\TestUser
Type: Deny
Rights: ChangePermissions
User: TestDomain\TestUser
Type: Allow
Rights: ReadKey
Current access rules:
User: TestDomain\TestUser
Type: Deny
Rights: ChangePermissions
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, ReadKey
*/
Imports Microsoft.Win32
Imports System.Security.AccessControl
Imports System.Security.Principal
Public Class Example
Public Shared Sub Main()
' Create a string representing the current user.
Dim user As String = Environment.UserDomainName _
& "\" & Environment.UserName
' Create a security object that grants no access.
Dim mSec As New RegistrySecurity()
' Add a rule that grants the current user the
' right to read the key.
Dim rule As New RegistryAccessRule(user, _
RegistryRights.ReadKey, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Add a rule that denies the current user the
' right to change permissions on the Registry.
rule = New RegistryAccessRule(user, _
RegistryRights.ChangePermissions, _
AccessControlType.Deny)
mSec.AddAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
' Add a rule that allows the current user the
' right to read permissions on the Registry. This
' rule is merged with the existing Allow rule.
rule = New RegistryAccessRule(user, _
RegistryRights.WriteKey, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
ShowSecurity(mSec)
End Sub
Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)
For Each ar As RegistryAccessRule In _
security.GetAccessRules(True, True, GetType(NTAccount))
Console.WriteLine(" User: {0}", ar.IdentityReference)
Console.WriteLine(" Type: {0}", ar.AccessControlType)
Console.WriteLine(" Rights: {0}", ar.RegistryRights)
Console.WriteLine()
Next
End Sub
End Class
'This code example produces output similar to following:
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Deny
' Rights: ChangePermissions
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ReadKey
'
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Deny
' Rights: ChangePermissions
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, ReadKey
Remarks
This constructor specifies default propagation and inheritance. That is, InheritanceFlags.None and PropagationFlags.None.
This constructor is equivalent to creating an NTAccount object, by passing identity to the NTAccount.NTAccount(String) constructor, and passing the newly created NTAccount object to the RegistryAccessRule(IdentityReference, RegistryRights, AccessControlType) constructor.
Applies to
RegistryAccessRule(IdentityReference, RegistryRights, InheritanceFlags, PropagationFlags, AccessControlType)
- Source:
- RegistrySecurity.cs
Initializes a new instance of the RegistryAccessRule class, specifying the user or group the rule applies to, the access rights, the inheritance flags, the propagation flags, and whether the specified access rights are allowed or denied.
public:
RegistryAccessRule(System::Security::Principal::IdentityReference ^ identity, System::Security::AccessControl::RegistryRights registryRights, System::Security::AccessControl::InheritanceFlags inheritanceFlags, System::Security::AccessControl::PropagationFlags propagationFlags, System::Security::AccessControl::AccessControlType type);public RegistryAccessRule (System.Security.Principal.IdentityReference identity, System.Security.AccessControl.RegistryRights registryRights, System.Security.AccessControl.InheritanceFlags inheritanceFlags, System.Security.AccessControl.PropagationFlags propagationFlags, System.Security.AccessControl.AccessControlType type);new System.Security.AccessControl.RegistryAccessRule : System.Security.Principal.IdentityReference * System.Security.AccessControl.RegistryRights * System.Security.AccessControl.InheritanceFlags * System.Security.AccessControl.PropagationFlags * System.Security.AccessControl.AccessControlType -> System.Security.AccessControl.RegistryAccessRulePublic Sub New (identity As IdentityReference, registryRights As RegistryRights, inheritanceFlags As InheritanceFlags, propagationFlags As PropagationFlags, type As AccessControlType)Parameters
- identity
- IdentityReference
The user or group the rule applies to. Must be of type SecurityIdentifier or a type such as NTAccount that can be converted to type SecurityIdentifier.
- registryRights
- RegistryRights
A bitwise combination of RegistryRights values specifying the rights allowed or denied.
- inheritanceFlags
- InheritanceFlags
A bitwise combination of InheritanceFlags flags specifying how access rights are inherited from other objects.
- propagationFlags
- PropagationFlags
A bitwise combination of PropagationFlags flags specifying how access rights are propagated to other objects.
- type
- AccessControlType
One of the AccessControlType values specifying whether the rights are allowed or denied.
Exceptions
registryRights specifies an invalid value.
-or-
type specifies an invalid value.
-or-
inheritanceFlags specifies an invalid value.
-or-
propagationFlags specifies an invalid value.
identity is neither of type SecurityIdentifier, nor of a type such as NTAccount that can be converted to type SecurityIdentifier.
Remarks
All registry keys are containers, so the only inheritance flag that is meaningful for registry keys is the InheritanceFlags.ContainerInherit flag. If this flag is not specified, the propagation flags are ignored, and only the immediate key is affected. If the flag is present, the rule is propagated as shown in the following table. The table assumes there is a subkey S with child subkey CS and grandchild subkey GS. That is, the path for the grandchild subkey is S\CS\GS.
| Propagation flags | S | CS | GS |
|---|---|---|---|
| None | X | X | X |
| NoPropagateInherit | X | X | |
| InheritOnly | X | X | |
| NoPropagateInherit, InheritOnly | X |
The pattern for the grandchild subkey governs all subkeys contained by the grandchild subkey.
For example, if the ContainerInherit flag is specified for inheritanceFlags and the InheritOnly propagation flag is specified for propagationFlags, this rule does not apply to the immediate subkey, but does apply to all its immediate child subkeys and to all subkeys they contain.
Note
Although you can specify the InheritanceFlags.ObjectInherit flag for inheritanceFlags, there is no point in doing so. For the purposes of access control, the name/value pairs in a subkey are not separate objects. The access rights to name/value pairs are controlled by the rights of the subkey. Furthermore, since all subkeys are containers (that is, they can contain other subkeys), they are not affected by the ObjectInherit flag. Finally, specifying the ObjectInherit flag needlessly complicates the maintenance of rules, because it interferes with the combination of otherwise compatible rules.
Applies to
RegistryAccessRule(String, RegistryRights, InheritanceFlags, PropagationFlags, AccessControlType)
- Source:
- RegistrySecurity.cs
Initializes a new instance of the RegistryAccessRule class, specifying the name of the user or group the rule applies to, the access rights, the inheritance flags, the propagation flags, and whether the specified access rights are allowed or denied.
public:
RegistryAccessRule(System::String ^ identity, System::Security::AccessControl::RegistryRights registryRights, System::Security::AccessControl::InheritanceFlags inheritanceFlags, System::Security::AccessControl::PropagationFlags propagationFlags, System::Security::AccessControl::AccessControlType type);public RegistryAccessRule (string identity, System.Security.AccessControl.RegistryRights registryRights, System.Security.AccessControl.InheritanceFlags inheritanceFlags, System.Security.AccessControl.PropagationFlags propagationFlags, System.Security.AccessControl.AccessControlType type);new System.Security.AccessControl.RegistryAccessRule : string * System.Security.AccessControl.RegistryRights * System.Security.AccessControl.InheritanceFlags * System.Security.AccessControl.PropagationFlags * System.Security.AccessControl.AccessControlType -> System.Security.AccessControl.RegistryAccessRulePublic Sub New (identity As String, registryRights As RegistryRights, inheritanceFlags As InheritanceFlags, propagationFlags As PropagationFlags, type As AccessControlType)Parameters
- identity
- String
The name of the user or group the rule applies to.
- registryRights
- RegistryRights
A bitwise combination of RegistryRights values indicating the rights allowed or denied.
- inheritanceFlags
- InheritanceFlags
A bitwise combination of InheritanceFlags flags specifying how access rights are inherited from other objects.
- propagationFlags
- PropagationFlags
A bitwise combination of PropagationFlags flags specifying how access rights are propagated to other objects.
- type
- AccessControlType
One of the AccessControlType values specifying whether the rights are allowed or denied.
Exceptions
registryRights specifies an invalid value.
-or-
type specifies an invalid value.
-or-
inheritanceFlags specifies an invalid value.
-or-
propagationFlags specifies an invalid value.
eventRights is zero.
identity is null.
-or-
identity is a zero-length string.
-or-
identity is longer than 512 characters.
Examples
The following code example demonstrates access rules with inheritance and propagation. The example creates a RegistrySecurity object, and then creates and adds two rules that have the ContainerInherit flag. The first rule has no propagation flags, while the second has NoPropagateInherit and InheritOnly.
The program displays the rules in the RegistrySecurity object, and then uses the RegistrySecurity object to create a subkey. The program creates a child subkey and a grandchild subkey, and then displays the rules for each subkey. Finally, the program deletes the test keys.
using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;
public class Example
{
public static void Main()
{
const string TestKey = "TestKey3927";
RegistryKey cu = Registry.CurrentUser;
string user = Environment.UserDomainName +
"\\" + Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user the right
// to read and enumerate the name/value pairs in a key,
// to read its access and audit rules, to enumerate
// its subkeys, to create subkeys, and to delete the key.
// The rule is inherited by all contained subkeys.
//
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.WriteKey
| RegistryRights.Delete,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow
);
mSec.AddAccessRule(rule);
// Add a rule that allows the current user the right
// right to set the name/value pairs in a key.
// This rule is inherited by contained subkeys, but
// propagation flags limit it to immediate child
// subkeys.
rule = new RegistryAccessRule(user,
RegistryRights.ChangePermissions,
InheritanceFlags.ContainerInherit,
PropagationFlags.InheritOnly |
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Create the test key using the security object.
//
RegistryKey rk = cu.CreateSubKey(TestKey,
RegistryKeyPermissionCheck.ReadWriteSubTree, mSec);
// Create a child subkey and a grandchild subkey,
// without security.
RegistryKey rkChild = rk.CreateSubKey("ChildKey",
RegistryKeyPermissionCheck.ReadWriteSubTree);
RegistryKey rkGrandChild =
rkChild.CreateSubKey("GrandChildKey",
RegistryKeyPermissionCheck.ReadWriteSubTree);
Show(rk);
Show(rkChild);
Show(rkGrandChild);
rkGrandChild.Close();
rkChild.Close();
rk.Close();
cu.DeleteSubKeyTree(TestKey);
}
private static void Show(RegistryKey rk)
{
Console.WriteLine(rk.Name);
ShowSecurity(rk.GetAccessControl());
}
private static void ShowSecurity(RegistrySecurity security)
{
Console.WriteLine("\r\nCurrent access rules:\r\n");
foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
{
Console.WriteLine(" User: {0}", ar.IdentityReference);
Console.WriteLine(" Type: {0}", ar.AccessControlType);
Console.WriteLine(" Rights: {0}", ar.RegistryRights);
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
Console.WriteLine(" Inherited? {0}", ar.IsInherited);
Console.WriteLine();
}
}
}
/* This code example produces output similar to following:
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: ContainerInherit
Propagation: NoPropagateInherit, InheritOnly
Inherited? False
HKEY_CURRENT_USER\TestKey3927
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: ContainerInherit
Propagation: NoPropagateInherit, InheritOnly
Inherited? False
HKEY_CURRENT_USER\TestKey3927\ChildKey
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? True
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: None
Propagation: None
Inherited? True
HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? True
*/
Option Explicit
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Security
Imports Microsoft.Win32
Public Class Example
Public Shared Sub Main()
Const TestKey As String = "TestKey3927"
Dim cu As RegistryKey = Registry.CurrentUser
Dim user As String = Environment.UserDomainName _
& "\" & Environment.UserName
' Create a security object that grants no access.
Dim mSec As New RegistrySecurity()
' Add a rule that grants the current user the right
' to read and enumerate the name/value pairs in a key,
' to read its access and audit rules, to enumerate
' its subkeys, to create subkeys, and to delete the key.
' The rule is inherited by all contained subkeys.
'
Dim rule As New RegistryAccessRule(user, _
RegistryRights.ReadKey Or RegistryRights.WriteKey _
Or RegistryRights.Delete, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Add a rule that allows the current user the right
' right to set the name/value pairs in a key.
' This rule is inherited by contained subkeys, but
' propagation flags limit it to immediate child
' subkeys.
rule = New RegistryAccessRule(user, _
RegistryRights.ChangePermissions, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.InheritOnly Or PropagationFlags.NoPropagateInherit, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
' Create the test key using the security object.
'
Dim rk As RegistryKey = cu.CreateSubKey(TestKey, _
RegistryKeyPermissionCheck.ReadWriteSubTree, _
mSec)
' Create a child subkey and a grandchild subkey,
' without security.
Dim rkChild As RegistryKey= rk.CreateSubKey("ChildKey", _
RegistryKeyPermissionCheck.ReadWriteSubTree)
Dim rkGrandChild As RegistryKey = _
rkChild.CreateSubKey("GrandChildKey", _
RegistryKeyPermissionCheck.ReadWriteSubTree)
Show(rk)
Show(rkChild)
Show(rkGrandChild)
rkGrandChild.Close()
rkChild.Close()
rk.Close()
cu.DeleteSubKeyTree(TestKey)
End Sub
Private Shared Sub Show(ByVal rk As RegistryKey)
Console.WriteLine(rk.Name)
ShowSecurity(rk.GetAccessControl())
End Sub
Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)
For Each ar As RegistryAccessRule In _
security.GetAccessRules(True, True, GetType(NTAccount))
Console.WriteLine(" User: {0}", ar.IdentityReference)
Console.WriteLine(" Type: {0}", ar.AccessControlType)
Console.WriteLine(" Rights: {0}", ar.RegistryRights)
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags)
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags)
Console.WriteLine(" Inherited? {0}", ar.IsInherited)
Console.WriteLine()
Next
End Sub
End Class
'This code example produces output similar to following:
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: ContainerInherit
' Propagation: NoPropagateInherit, InheritOnly
' Inherited? False
'
'HKEY_CURRENT_USER\TestKey3927
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: ContainerInherit
' Propagation: NoPropagateInherit, InheritOnly
' Inherited? False
'
'HKEY_CURRENT_USER\TestKey3927\ChildKey
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? True
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: None
' Propagation: None
' Inherited? True
'
'HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? True
Remarks
All registry keys are containers, so the only inheritance flag that is meaningful for registry keys is the InheritanceFlags.ContainerInherit flag. If this flag is not specified, the propagation flags are ignored, and only the immediate key is affected. If the flag is present, the rule is propagated as shown in the following table. The table assumes there is a subkey S with child subkey CS and grandchild subkey GS. That is, the path for the grandchild subkey is S\CS\GS.
| Propagation flags | S | CS | GS |
|---|---|---|---|
| None | X | X | X |
| NoPropagateInherit | X | X | |
| InheritOnly | X | X | |
| NoPropagateInherit, InheritOnly | X |
The pattern for the grandchild subkey governs all subkeys contained by the grandchild subkey.
For example, if the ContainerInherit flag is specified for inheritanceFlags and the InheritOnly propagation flag is specified for propagationFlags, this rule does not apply to the immediate subkey, but does apply to all its immediate child subkeys and to all subkeys they contain.
Note
Although you can specify the InheritanceFlags.ObjectInherit flag for inheritanceFlags, there is no point in doing so. For the purposes of access control, the name/value pairs in a subkey are not separate objects. The access rights to name/value pairs are controlled by the rights of the subkey. Furthermore, since all subkeys are containers (that is, they can contain other subkeys), they are not affected by the ObjectInherit flag. Finally, specifying the ObjectInherit flag needlessly complicates the maintenance of rules, because it interferes with the combination of otherwise compatible rules.
This constructor is equivalent to creating an NTAccount object, by passing identity to the NTAccount.NTAccount(String) constructor, and passing the newly created NTAccount object to the RegistryAccessRule(IdentityReference, RegistryRights, InheritanceFlags, PropagationFlags, AccessControlType) constructor.
