Why it takes so much time to change rights on folder that inherent?


Lets say I have a folder named PIC.
in this folder i have 1 million picture files, some are into other folders inside.
all the files and folders are set to inherent from parent , from PIC.

why when i change rights on PIC, like adding a specific user with read and list access.
it takes alot of time. it working on every file under that foldet and setting rights, why ?

Its on 2008 R2 Server, is there a way to change this ? Many Project managers on the nas says it takes alot of time to change rights.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The reason is those rights need to be applied to every file inside of that folder.  There is no way to change this except for perhaps turning off inheritance.

This of course would defeat the purpose of assigning the permissions.

The best thing to do is create security groups that have access, then you can just add people to those security groups as needed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

Permissions and security descriptors
Every container and object on the network has a set of access control information attached to it. Known as a security descriptor, this information controls the type of access allowed to users and groups. The security descriptor is automatically created along with the container or object that is created. A typical example of an object with a security descriptor is a file.

Permissions are defined within an object's security descriptor. Permissions are associated with, or assigned to, specific users and groups. For example, for the file Temp.dat, the Administrator group might be assigned read, write, and delete permissions, while the Operator group might be assigned Read and Write permissions only.

Each assignment of permissions to a user or group is known as a permission entry, which is a type of access control entry (ACE). The entire set of permission entries in a security descriptor is known as a permission set or access control list (ACL). Thus, for a file named Temp.dat, the permission set includes two permission entries, one for the Administrator group and one for the Operator group.

For Active Directory objects, not only will the specified objects in the Apply onto field inherit the access control entries but ALL child objects will receive a copy of that ACE. The child objects not specified in the Apply onto field will not utilize the ACE whose copy they receive but if there are enough objects that will get copies of this ACE, then that increased amount of data can cause serious performance problems to your network.
In other words, As BCipollone states, All files need to change there permission attributes. It has to scan every file to see what is there and change it to reflect what you want
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Printers and Scanners

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.