Active Directory also provides the capability of specifying default security for each type of object. This is specified in the defaultSecurityDescriptor attribute in the classSchema object definition in the Active Directory schema. This security descriptor is used to provide default protection on the object if there is no security descriptor specified during the creation of the object.
Note ACEs from a default security descriptor are treated as if they were specified as part of object creation. Therefore, the default ACEs are placed in front of inherited ACEs and override them as appropriate. See Order of ACEs in a DACL.
The defaultSecurityDescriptor is specified in a special string format using the Security Descriptor Definition Language (SDDL). There are two functions provided to convert binary form of the security descriptor to string format and vice versa. These functions are:
For the default security descriptors of the predefined object classes, see the class reference pages in the Active Directory Schema Reference of the Active Directory Reference.
For sample code that reads or modifies the defaultSecurityDescriptor property of an object class, see Reading the defaultSecurityDescriptor for an Object Class and Modifying the defaultSecurityDescriptor for an Object Class.