Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

SID Attributes in an Access Token

Each user and group SID in an access token can have one of two attributes that control how the system uses the SID in an access check. These attributes mark a SID either as one to be checked in all ACEs or as a SID to be checked only in ACEs that deny access. Table 12.4 lists the SID attributes.

Table   12.4 SID Attributes

Attribute

Description

SE_GROUP_ENABLED

A SID with this attribute is enabled for access checks. When the system performs an access check, it checks for ACEs that apply to the SID.

SE_GROUP_USE_FOR_DENY_ONLY

Windows   2000 only : A SID with this attribute is a deny-only SID. When the system performs an access check, it checks for ACEs that deny access to the SID. It ignores ACEs that allow access for the SID.

Both attributes are mutually exclusive. If one attribute is set, the other cannot be set. If neither attribute is set, the SID is ignored. Moreover, no process is ever allowed to remove a deny-only attribute from a SID.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.