Skip to main content

Entities and Inheritance

Owner inheritance is the foundation of how ScrewDrivers determines which printers, settings, and permissions each user receives. Every time a user logs in, the system analyzes the user, the session agent, and the client computer to build a hierarchical ownership tree, then resolves assignments through that hierarchy. Understanding this resolution process is essential before you start making assignments—it affects every printer and setting you configure.

Overview

ScrewDrivers builds on your existing Active Directory structure and network topology to create an ownership hierarchy. When you assign objects (printers, settings, permissions) to owners higher in the hierarchy, those assignments automatically inherit down to more specific owners. This inheritance system lets you configure once at a high level while maintaining the flexibility to override settings for specific users, groups, or locations.

The resolution process handles conflicts when the same object is assigned to multiple owners with different settings. It follows predictable rules based on specificity (closer assignments win) and restriction (deny always beats allow), ensuring consistent and secure results across your environment.

Assignment Resolution Process

Every time ScrewDrivers detects a new login session, it analyzes three primary pieces of information to build the ownership hierarchy:

  • The user logging into the system
  • The session agent the user is connecting to
  • The client computer the user is logging in from

Each of these becomes a foundation owner, and the system then locates additional related owners through Active Directory memberships and Network owners (groups, computers, IP addresses, or IP ranges). You can assign objects to these primary owners—called parent owners—and those assignments inherit to their children through the hierarchy.

Although OUs, Trusted Domains, and Containers aren't primary owners in a ScrewDrivers session, you can still assign objects to them. Their child owners will inherit those assignments according to the resolution rules.

Single vs. Multiple Assignments

Objects and settings fall into two categories based on whether they require a single final result or allow multiple assignments.

Single result settings (only one assignment possible):

  • Session printer settings configurations
  • Default printer assignment

Multiple result settings (multiple assignments allowed):

  • Printer assignments (except default printer)
  • Permission grants

When the same object is assigned to multiple owners with different configurations, the system must resolve which assignment takes effect. This resolution follows a two-step process:

Step 1: Compare Assignment Rank

The system first compares how close each assignment is to the owner—this closeness is called rank. Assignments closer to the specific owner take priority over more distant assignments. If ranks differ, the closest assignment wins regardless of whether it's an allow or deny.

Step 2: Apply Deny Priority

If multiple assignments have identical rank, the system compares their inheritance status (Deny or Allow). A Deny assignment always takes precedence over an Allow assignment at the same rank level.

Example: Deny Precedence

Consider a user named Jane Doe who's a member of both the Development Group and the Testing Group. Printer A is assigned to both groups—allowed for Development, denied for Testing. Since both group memberships have the same rank (Jane is directly a member of each), the system moves to step 2 and applies the Deny. Jane Doe is denied access to Printer A.

Printer assignment example showing KONICA printer assigned to IP address range

Figure 1: Initial assignment - A KONICA printer is assigned to an IP address range for client computers at the Owings Mills site. Any user logging in from that IP range inherits the printer.

Printer assignment denied for IP range

Figure 2: Assignment denied - The same KONICA printer is now denied for the IP address range.

Printer assigned to SD Users group

Figure 3: Group assignment - Users in the SD Users group are assigned the KONICA printer with an Allow status.

Result: Members of the SD Users group receive the KONICA printer unless they log in from a client with an IP address in the denied range. When they connect from within that range, the Deny takes precedence and they don't receive the printer.

Hierarchy-Based Resolution

For owners found in tree structures like Active Directory, the system evaluates assignments from general to specific. Owners at lower levels in the hierarchy override owners at higher levels because they're more specific.

Example: If a domain is assigned printer session settings PSP1, but an OU within that domain is assigned PSP2, users in the OU receive PSP2. The OU assignment is more specific than the domain assignment, so it takes precedence.

When hierarchy isn't clear—such as when comparing assignments across different owner types—the system resolves using this priority order:

  1. User assignments vs. server assignments vs. client assignments
  2. Group assignments at the same level

For Windows AD security groups, ScrewDrivers treats group assignments as more general than direct user assignments but more specific than OU assignments. This applies even when the group exists in a different OU than the user. If both the group and user are in different OUs, the system evaluates parent relationships in the ownership tree to determine specificity.

Advanced Resolution Options

For objects that don't have an inherent resolution order, the system performs additional tests to determine if resolution is possible and which assignment should take effect. These advanced options let you fine-tune how assignments cascade through complex organizational structures.

The resolution engine ensures predictable, consistent results even in environments with overlapping group memberships, nested OUs, and multiple assignment paths from different parts of your infrastructure.

Resolution Best Practices

Understanding resolution helps you design efficient assignment strategies:

  • Assign at the highest appropriate level - Configure once at the OU or domain level for broad coverage
  • Use specific assignments for exceptions - Override at lower levels only when necessary
  • Be deliberate with denies - Remember that Deny always wins at the same rank level
  • Test with Logon Impersonation - Use the Logon Impersonation tool to verify assignment results before deploying