Export (0) Print
Expand All

SetSD method of the __SystemSecurity class

The SetSD method sets the security descriptor for the namespace to which a user is connected. This method requires a security descriptor in binary byte array format. If you are writing a script, use the SetSecurityDescriptor method. For more information, see Securing WMI Namespaces and Changing Access Security on Securable Objects.

If you are programming in C++, you can manipulate the binary security descriptor using SDDL, and the conversion methods ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.

A user must have the WRITE_DAC permission, and by default, an administrator has that permission. The only part of the security descriptor that is used is the noninherited access control entry (ACE) in the discretionary access control list (DACL). By setting the CONTAINER_INHERIT flag in the ACEs, the security descriptor affects child namespaces. Both allow and deny ACEs are permitted.

Note  Because deny and allow ACEs are both permitted in a DACL, the order of ACEs is important. For more information, see Ordering of ACEs in a DACL.


  [in]  uint8 SD[]


SD [in]

Byte array that makes up the security descriptor.

Return value

Returns an HRESULT that indicates the status of a method call. For scripting and Visual Basic applications, the result can be obtained from OutParameters.ReturnValue. For more information, see Constructing InParameters Objects and Parsing OutParameters Objects.

Windows Server 2003 and Windows XP:  WMI does not use security descriptor definition strings (SDDL). You also cannot use a Win32_SecurityDescriptor object or any of its component classes, such as Win32_ACE, to change the security descriptor.

The following table lists the return values that are significant to SetSD.

Return codeDescription

Method executed successfully.


Caller does not have sufficient rights to call this method.


Attempted to run this method on Windows XP.


SD does not pass basic validity tests.


SD is not valid due to one of the following:

  • DACL is missing.
  • DACL is not valid.
  • ACE has the WBEM_FULL_WRITE_REP flag set, and the WBEM_PARTIAL_WRITE_REP or WBEM_WRITE_PROVIDER flag is not set.
  • ACE has the INHERIT_ONLY_ACE flag set without the CONTAINER_INHERIT_ACE flag.
  • ACE has an unknown access bit set.
  • ACE has a flag set that is not in the table.
  • ACE has a type that is not in the table.
  • The owner and group are missing from the SD.

For more information about the access control entry (ACE) flags, see WMI Security Constants.



For more information about modifying namespace security programmatically or manually, see Securing WMI Namespaces.


For script code examples, see WMI Tasks for Scripts and Applications and the TechNet ScriptCenter Script Repository.

For C++ code examples, see WMI C++ Application Examples.

The following script shows how to use SetSD to set the namespace security descriptor for the root namespace and change it to the byte array shown in strSD.

' Hard-coded security descriptor
strSD = array( 1, 0, 4,129,72, 0, 0, 0, _ 
              88, 0, 0,  0, 0, 0, 0, 0, _
              20, 0, 0,  0, 2, 0,52, 0, _
               2, 0, 0,  0, 0, 2,24, 0, _
              63, 0, 6,  0, 1, 2, 0, 0, _
               0, 0, 0,  5,32, 0, 0, 0, _
              32, 2, 0,  0, 0, 2,20, 0, _
              63, 0, 6,  0, 1, 1, 0, 0, _
               0, 0, 0,  1, 0, 0, 0, 0, _
               1, 2, 0,  0, 0, 0, 0, 5, _
              32, 0, 0,  0,32, 2, 0, 0, _
               1, 2, 0,  0, 0, 0, 0, 5, _
              32, 0, 0,  0,32, 2, 0, 0)

' Connect to WMI and the root namespace.
Set oSvc = CreateObject( _
                         "WbemScripting.SWbemLocator"). _

' Get the single __SystemSecurity object in this namespace.
Set oSecurity = oSvc.Get("__SystemSecurity=@")

' Change the namespace security.
nReturn = oSecurity.SetSD(strSD)
WScript.Echo "ReturnValue " & nReturn


Minimum supported client

Windows XP

Minimum supported server

Windows Server 2003


all WMI namespaces

See also

WMI System Classes
WMI Security Constants
Securing WMI Namespaces



© 2014 Microsoft