Export (0) Print
Expand All

6 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 2.1: Windows is implemented on little-endian systems.

<2> Section 2.3.8: Windows implementations access the Value field with non-standard string functions to add or extract strings from the buffer. If standard C conventions were followed, the Value datatype would nominally be wchar_t**.

<3> Section 2.4.1: Only Windows Server 2012 and Windows Server 2012 R2, Kerberos KDCs support this value.

<4> Section 2.4.1: OnlyWindows Server 2012 and Windows Server 2012 R2, Kerberos KDCs support this value for protocol transition (S4U2Self)-based service tickets

<5> Section 2.4.2.4: Supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<6> Section 2.4.2.4: Not supported by Windows 2000.

<7> Section 2.4.2.4: Not supported by Windows 2000.

<8> Section 2.4.2.4: Not supported by Windows 2000.

<9> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. The DC adds this SID:

  • When the user is a member of the forest.

  • When the user is not a member of the forest and the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is not set.

<10> Section 2.4.2.4: The COMPOUNDED_AUTHENTICATION SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<11> Section 2.4.2.4: The CLAIMS_VALID SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<12> Section 2.4.2.4: Supported by Windows 8.1 and Windows Server 2012 R2

<13> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<14> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<15> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<16> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<17> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<18> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<19> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<20> Section 2.4.2.4: A new local group is created for Windows Server 2003 with SP1, Windows Server 2003 SP2, Windows Server 2003 with SP3, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<21> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<22> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<23> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<24> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<25> Section 2.4.2.4: The THIS_ORGANIZATION_CERTIFICATE SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<26> Section 2.4.2.4: Supported only in Windows 8.1 and Windows Server 2012 R2.

<27> Section 2.4.2.4: Supported only in Windows 8.1 and Windows Server 2012 R2.

<28> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. When the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is set:

  • If the forest boundary is crossed, Windows domain controllers add this SID.

  • If Windows domain controllers receive requests to authenticate to resources in their domain, they check the computer object to ensure that this SID is allowed. In Windows, by default this applies to NTLM (as specified in [MS-NLMP] and [MS-APDS]), to Kerberos (as specified in [MS-KILE] and [MS-APDS]), and to TLS (as specified in [MS-TLSP] and [MS-SFU]).

<29> Section 2.4.2.4: AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. In Windows Server 2012 and Windows Server 2012 R2, only Kerberos KDCs provide this SID.

<30> Section 2.4.2.4: SERVICE_ASSERTED_IDENTITY is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. In Windows Server 2012 and Windows Server 2012 R2, only Kerberos KDCs provide this SID for protocol transition (S4U2Self) based service tickets.

<31> Section 2.4.4.1: Windows NT 4.0: Not supported.

<32> Section 2.4.4.1: Windows NT 4.0: Not supported.

<33> Section 2.4.4.1: Windows NT 4.0: Not supported.

<34> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<35> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<36> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<37> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<38> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<39> Section 2.4.4.1: Callback in this context relates to the local-only AuthzAccessCheck function, as described in [MSDN-AuthzAccessCheck].

<40> Section 2.4.4.1: Windows NT 4.0: Not supported.

<41> Section 2.4.4.13: This construct is supported only by Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<42> Section 2.4.4.17: Conditional ACEs are only supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<43> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<44> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<45> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<46> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<47> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<48> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<49> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<50> Section 2.4.4.17.6: Only Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 support @Prefixed form.

<51> Section 2.4.4.17.6: Windows implementations do not set this flag by default.

<52> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the LHS MUST be an attribute name in simple form and RHS must be a single literal value. Evaluates to TRUE if the set of values for the specified LHS includes a value identical to the specified literal; otherwise, FALSE.

<53> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the RHS MUST be either a list of literals or a single literal value. Evaluates to TRUE if the LHS is a superset of the value of the specified RHS; otherwise, FALSE.

<54> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<55> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<56> Section 2.4.4.17.7: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<57> Section 2.4.5: This is applicable for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<58> Section 2.4.6: Windows typically presents the target fields in this order: Sacl, Dacl, OwnerSid, GroupSid.

<59> Section 2.4.6: Windows sets Sbz1 to zero for Windows resources.

<60> Section 2.4.6: This field is intended only for use by the POSIX subsystem and is otherwise ignored by the Windows access control components.

<61> Section 2.4.10.1: These values are only supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. They are ignored by the access check algorithm (section 2.5.3.2).

<62> Section 2.4.10.1: These values are only supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<63> Section 2.4.10.2: Supported only in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<64> Section 2.5.1: SDDL was introduced in Windows 2000.

<65> Section 2.5.1.1: GUIDs are only supported on Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<66> Section 2.5.1.1: Not all conditional ACE types are supported in the SDDL. Only the conditional ACE types ACE ACCESS_ALLOWED_CALLBACK_ACE and ACCESS_DENIED_CALLBACK_ACE are supported in Windows 7 and Windows Server 2008 R2. The ACCESS_ALLOWED_CALLBACK_ACE, ACCESS_DENIED_CALLBACK_ACE, ACCESS_ALLOWED_CALLBACK_OBJECT_ACE, and SYSTEM_AUDIT_CALLBACK_ACE types are supported only in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<67> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<68> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<69> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<70> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<71> Section 2.5.1.1: Only “Member_of” is supported in Windows 7 and Windows Server 2008 R2. "Member_of", "Not_Member_of", "Member_of_Any", "Not_Member_of_Any", "Device_Member_of", "Device_Member_of_Any", "Not_Device_Member_of", and "Not_Device_Member_of_Any" are supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<72> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<73> Section 2.5.1.1: Not_Contains is supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<74> Section 2.5.1.1: Not_Any is supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<75> Section 2.5.1.1: Use of the @ symbol in the simple form is supported only in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<76> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only.

<77> Section 2.5.2: For Windows 2000, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, the policy is that OwnerIndex is always the same as UserIndex, except for members of the local Administrators group, in which case the OwnerIndex is set to the index for the SID representing the Administrators group. For Windows XP and Windows Server 2003, there is a policy that allows the OwnerIndex to be the UserIndex under all conditions.

<78> Section 2.5.3.1.4: An implementation-specific local recovery policy is a central access policy that allows the implementation itself, and the authorities that manage it, access to the resource being protected in disaster recovery scenarios. The Windows local recovery policy ensures administrators and the system have access to resources while Windows is booted in safe mode.

<79> Section 2.5.3.3: The Windows integrity mechanism extension is supported in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<80> Section 2.5.3.4: Assigning the owner and group fields in the security descriptor must follow the following logic:

  1. If the security descriptor that is supplied for the object by the caller includes an owner, it is assigned as the owner of the new object. Otherwise, if the DEFAULT_OWNER_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same owner as the parent object. If this flag is not set, the default owner specified by the token (see section 2.5.3.4.1) is assigned.

  2. If the security descriptor that is supplied for the object by the caller includes a group, it is assigned as the group of the new object. Otherwise, if the DEFAULT_GROUP_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same primary group as the parent object. If this flag is not set, the default group specified by the token (see section 2.5.3.4.1) is assigned.

 
Show:
© 2014 Microsoft