ACE automatic inheritance

ACE automatic inheritance

I want to add an ACE to a registry key but it is not inherited thru
childs. Here is the VBScript code:
Set sdUtil = CreateObject("ADsSecurityUtility")
S = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XXXX"
Set sd = sdUtil.GetSecurityDescriptor(S, ADS_PATH_REGISTRY,
ADS_SD_FORMAT_IID)
Set oldDacl = sd.DiscretionaryAcl
Set dacl = CreateObject("AccessControlList")
dacl.AclRevision = ADS_REVISION_DS
dacl.AceCount = 0
'remove network service ace if it exists
For Each ace In oldDacl
If UCase(ace.trustee) <> "NT AUTHORITY\NETWORK SERVICE" And
UCase(ace.trustee) <> "S-1-5-20" Then
ace.AceFlags = ace.AceFlags Or OBJECT_INHERIT_ACE Or
CONTAINER_INHERIT_ACE
dacl.AddAce ace
End If
Next
'add the new network service ace
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\NETWORK SERVICE"
ace.AccessMask = KEY_ALL_ACCESS
ace.AceFlags = OBJECT_INHERIT_ACE Or CONTAINER_INHERIT_ACE
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
dacl.AddAce ace
If (sd.Control And SE_DACL_AUTO_INHERITED) <> 0 Then
sd.Control = sd.Control Or SE_DACL_AUTO_INHERIT_REQ
End If
If (sd.Control And SE_SACL_AUTO_INHERITED) <> 0 Then
sd.Control = sd.Control Or SE_SACL_AUTO_INHERIT_REQ
End If
If (sd.Control And SE_DACL_PROTECTED) <> 0 Then
sd.Control = sd.Control Xor SE_DACL_PROTECTED
End If
ReorderDacl dacl 'This subroutine reorder dacl using w2k rules
sd.DiscretionaryAcl = dacl
ret = sdUtil.SetSecurityDescriptor(S, ADS_PATH_REGISTRY, sd,
ADS_SD_FORMAT_IID)
I also use another routine that scans all children keys and removed all
ACEs except those marked as ADS_ACEFLAG_INHERITED_ACE
After code executes I get that childs of
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XXXX only inherit SYSTEM,
Administrators, Everyone & Restricted accesses. They are set on the parent
key, but the NETWORK SERVICE access is on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XXXX but not propagated to the
childs.