Directory Services

How Security Descriptors are Set on New Directory Objects

When you create a new object in the Active Directory, you can explicitly create a security descriptor and then set that security descriptor as the object's nTSecurityDescriptor property. For more information, see Creating a Security Descriptor for a New Directory Object.

Active Directory uses the following rules to set the DACL in the new object's security descriptor:

The system uses a similar algorithm to build a SACL for a directory service object.

The owner and primary group in the new object's security descriptor are set to the values you specify in the nTSecurityDescriptor property when you create the object. If you do not set these values, Active Directory uses the rules, listed in the following table, to set them.

Rule Description
Owner The owner in a default security descriptor is set to the default owner SID from the primary or impersonation token of the creating process. For most users, the default owner SID is the same as the SID that identifies the user's account. Be aware that for users who are members of the built-in administrators group, the system automatically sets the default owner SID in the access token to the administrators group; therefore, objects created by a member of the administrators group are typically owned by the administrators group. To get or set the default owner in an access token, call the GetTokenInformation or SetTokenInformation function with the TOKEN_OWNER structure.
Primary Group The primary group in a default security descriptor is set to the default primary group from the creator's primary or impersonation token. Be aware that primary group is not used in the context of Active Directory.

For more information about ACE inheritance, see Inheritance and Delegation of Administration.

For more information about the default security descriptors in the schema, see Default Security Descriptor.

For more information about classSchema objects, see Active Directory Schema.