SID Attributes in an Access Token
Each user and group SID in an access token can have one of two attributes that control how the system uses the SID in an access check. These attributes mark a SID either as one to be checked in all ACEs or as a SID to be checked only in ACEs that deny access. Table 12.4 lists the SID attributes.
Table 12.4 SID Attributes
Attribute |
Description |
|---|---|
SE_GROUP_ENABLED |
A SID with this attribute is enabled for access checks. When the system performs an access check, it checks for ACEs that apply to the SID. |
SE_GROUP_USE_FOR_DENY_ONLY |
Windows 2000 only : A SID with this attribute is a deny-only SID. When the system performs an access check, it checks for ACEs that deny access to the SID. It ignores ACEs that allow access for the SID. |
Both attributes are mutually exclusive. If one attribute is set, the other cannot be set. If neither attribute is set, the SID is ignored. Moreover, no process is ever allowed to remove a deny-only attribute from a SID.