DACLs for Newly Created Objects

  • Article

The operating system uses the following rules to set the DACL in the security descriptors for most types of new securable objects:

  1. The object's DACL is the DACL from the security descriptor specified by the the creating process. The operating system merges any inheritable ACEs into the DACL unless SE_DACL_PROTECTED is set in the security descriptor control flags. The operating system then sets the SE_DACL_PRESENT security descriptor control flag.

  2. If the creating process does not specify a security descriptor, the operating system builds the object's DACL from inheritable ACEs in the parent object's DACL. The operating system then sets the SE_DACL_PRESENT security descriptor control flag.

  3. If the parent object has no inheritable ACEs, the operating checks the subjects access token for a default DACL. The operating system then sets the SE_DACL_PRESENT and SE_DACL_DEFAULTED security descriptor control flags.

  4. If the subjects access token does not have a default DACL, the new object is assigned no DACL, which allows unconditional access by everyone. The SE_DACL_PRESENT security descriptor control flag is not set.

DACLs for Newly Created Active Directory Objects

The method used to build a DACL for a new Active Directory object is slightly different from the method used to build DACLs for other object types. There are two key differences, which are as follows:

  • The rules for creating a DACL distinguish between generic inheritable ACEs and object-specific inheritable ACEs in the parent object's security descriptor. Generic inheritable ACEs can be inherited by all types of child objects. Object-specific inheritable ACEs can be inherited only by the type of child object to which they apply.

  • The Active Directory schema can provide a security descriptor. Each object class defined in the schema has a defaultSecurityDescriptor attribute. If neither the creating process nor inheritance from the parent object provides a DACL for a new Active Directory object, the operating system uses the DACL in the default security descriptor specified by the schema.

The operating system uses the following rules to set the DACL in the security descriptor for new Active Directory objects:

  1. The object's DACL is the DACL from the security descriptor specified by the the creating process. The operating system merges any inheritable ACEs into the DACL unless SE_DACL_PROTECTED is set in the security descriptor control flags. The operating system then sets the SE_DACL_PRESENT security descriptor control flag.

  2. If the creating process does not specify a security descriptor, the operating system checks the parent object's DACL for inheritable object-specific ACEs that apply to the type of object being created. If the parent object has inheritable object-specific ACEs for the object type, the operating system builds the object's DACL from inheritable ACEs, including both generic and object-specific ACEs. It then sets the SE_DACL_PRESENT security descriptor control flag.

  3. If the parent object has no inheritable object-specific ACEs for the type of object being created, the operating system uses the default DACL from the Active Directory schema for that object type. It then sets the SE_DACL_PRESENT and SE_DACL_DEFAULTED security descriptor control flags.

  4. If the Active Directory schema does not specify a default DACL for the object type, the operating system checks the subject's access token for a default DACL. It then sets the SE_DACL_PRESENT and SE_DACL_DEFAULTED security descriptor control flags.

  5. If the subject's access token does not have a default DACL, the new object is assigned no DACL, which gives unconditional access to everyone. The SE_DACL_PRESENT security descriptor control flag is not set.