Home Library Learn Samples Downloads Support Community Forums
This topic has not yet been rated - Rate this topic

6 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Microsoft Windows NT® operating system

  • Microsoft Windows® 2000 operating system

  • Windows® XP operating system

  • Windows Server® 2003 operating system

  • Windows Vista® operating system

  • Windows Server® 2008 operating system

  • Windows® 7 operating system

  • Windows Server® 2008 R2 operating system

  • Windows® 8 operating system

  • Windows Server® 2012 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 2.1: Windows is implemented on little-endian systems.

<2> Section 2.3.6: Windows implementations access the Value field with non-standard string functions to add or extract strings from the buffer. If standard C conventions were followed, the Value datatype would nominally be wchar_t**.

<3> Section 2.4.2.4: Supported in Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012.

<4> Section 2.4.2.4: Not supported by Windows 2000.

<5> Section 2.4.2.4: Not supported by Windows 2000.

<6> Section 2.4.2.4: Not supported by Windows 2000.

<7> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. The DC adds this SID:

  • When the user is a member of the forest.

  • When the user is not a member of the forest and the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is not set.

<8> Section 2.4.2.4: The COMPOUNDED_AUTHENTICATION SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<9> Section 2.4.2.4: The CLAIMS_VALID SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<10> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<11> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<12> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<13> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<14> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<15> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<16> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<17> Section 2.4.2.4: A new local group is created for Windows Server 2003 with SP1, Windows Server 2003 SP2, Windows Server 2003 with SP3, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<18> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<19> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<20> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<21> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<22> Section 2.4.2.4: The THIS_ORGANIZATION_CERTIFICATE SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<23> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. When the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is set:

  • If the forest boundary is crossed, Windows domain controllers add this SID.

  • If Windows domain controllers receive requests to authenticate to resources in their domain, they check the computer object to ensure that this SID is allowed. In Windows, by default this applies to NTLM (as specified in [MS-NLMP] and [MS-APDS]), to Kerberos (as specified in [MS-KILE] and [MS-APDS]), and to TLS (as specified in [MS-TLSP] and [MS-SFU]).

<24> Section 2.4.2.4: AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. In Windows Server 2012, only Kerberos KDCs provide this SID.

<25> Section 2.4.2.4: SERVICE_ASSERTED_IDENTITY is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. In Windows Server 2012, only Kerberos KDCs provide this SID for protocol transition (S4U2Self) based service tickets.

<26> Section 2.4.4.1: Windows NT 4.0: Not supported.

<27> Section 2.4.4.1: Windows NT 4.0: Not supported.

<28> Section 2.4.4.1: Windows NT 4.0: Not supported.

<29> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<30> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<31> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<32> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<33> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<34> Section 2.4.4.1: Callback in this context relates to the local-only AuthzAccessCheck function, as described in [MSDN-AuthzAccessCheck].

<35> Section 2.4.4.1: Windows NT 4.0: Not supported.

<36> Section 2.4.4.13: This construct is supported only by Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012.

<37> Section 2.4.4.17: Conditional ACEs are only supported in Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012.

<38> Section 2.4.4.17.6: Supported in Windows 8 and Windows Server 2012 only.

<39> Section 2.4.4.17.6: Supported in Windows 8 and Windows Server 2012 only.

<40> Section 2.4.4.17.6: Supported in Windows 8 and Windows Server 2012 only.

<41> Section 2.4.4.17.6: Supported in Windows 8 and Windows Server 2012 only.

<42> Section 2.4.4.17.6: Supported in Windows 8 and Windows Server 2012 only.

<43> Section 2.4.4.17.6: Supported in Windows 8 and Windows Server 2012 only.

<44> Section 2.4.4.17.6: Supported in Windows 8 and Windows Server 2012 only.

<45> Section 2.4.4.17.6: Only Windows 8 and Windows Server 2012 support @Prefixed form.

<46> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the LHS MUST be an attribute name in simple form and RHS must be a single literal value. Evaluates to TRUE if the set of values for the specified LHS includes a value identical to the specified literal; otherwise, FALSE.

<47> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the RHS MUST be either a list of literals or a single literal value. Evaluates to TRUE if the LHS is a superset of the value of the specified RHS; otherwise, FALSE.

<48> Section 2.4.4.17.6: Supported in Windows 8 and Windows Server 2012 only.

<49> Section 2.4.4.17.6: Supported in Windows 8 and Windows Server 2012 only.

<50> Section 2.4.4.17.7: Supported in Windows 8 and Windows Server 2012 only.

<51> Section 2.4.5: This is applicable for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012.

<52> Section 2.4.6: Windows typically presents the target fields in this order: Sacl, Dacl, OwnerSid, GroupSid.

<53> Section 2.4.6: Windows sets Sbz1 to zero for Windows resources.

<54> Section 2.4.10.1: These values are only supported in Windows 8 and Windows Server 2012. They are ignored by the access check algorithm (section 2.5.3.2).

<55> Section 2.4.10.1: These values are only supported in Windows 8 and Windows Server 2012.

<56> Section 2.4.10.2: Supported only in Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

<57> Section 2.5.1: SDDL was introduced in Windows 2000.

<58> Section 2.5.1.1: GUIDs are only supported on Windows 8 and Windows Server 2012.

<59> Section 2.5.1.1: Not all conditional ACE types are supported in the SDDL. Only the conditional ACE types ACE ACCESS_ALLOWED_CALLBACK_ACE and ACCESS_DENIED_CALLBACK_ACE are supported inWindows 7 and Windows Server 2008 R2. The ACCESS_ALLOWED_CALLBACK_ACE, ACCESS_DENIED_CALLBACK_ACE, ACCESS_ALLOWED_CALLBACK_OBJECT_ACE, and SYSTEM_AUDIT_CALLBACK_ACE types are supported in Windows 8 and Windows Server 2012.

<60> Section 2.5.1.1: Supported in Windows 8 and Windows Server 2012 only.

<61> Section 2.5.1.1: Supported in Windows 8 and Windows Server 2012 only.

<62> Section 2.5.1.1: Supported in Windows 8 and Windows Server 2012 only.

<63> Section 2.5.1.1: Supported in Windows 8 and Windows Server 2012 only.

<64> Section 2.5.1.1: Supported in Windows 8 and Windows Server 2012 only.

<65> Section 2.5.1.1: Not_Contains is supported in Windows 8 and Windows Server 2012 only.

<66> Section 2.5.1.1: Not_Any is supported in Windows 8 and Windows Server 2012 only.

<67> Section 2.5.1.1: Use of the @ symbol in the simple form is supported only in Windows 8 and Windows Server 2012.

<68> Section 2.5.1.1: Supported in Windows 8 and Windows Server 2012 only.

<69> Section 2.5.2: For Windows 2000, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012, the policy is that OwnerIndex is always the same as UserIndex, except for members of the local Administrators group, in which case the OwnerIndex is set to the index for the SID representing the Administrators group. For Windows XP and Windows Server 2003, there is a policy that allows the OwnerIndex to be the UserIndex under all conditions.

<70> Section 2.5.3.3: The Windows integrity mechanism extension is supported in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012.

<71> Section 2.5.3.4: Assigning the owner and group fields in the security descriptor must follow the following logic:

  1. If the security descriptor that is supplied for the object by the caller includes an owner, it is assigned as the owner of the new object. Otherwise, if the DEFAULT_OWNER_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same owner as the parent object. If this flag is not set, the default owner specified by the token (see section 2.5.3.4.1) is assigned.

  2. If the security descriptor that is supplied for the object by the caller includes a group, it is assigned as the group of the new object. Otherwise, if the DEFAULT_GROUP_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same primary group as the parent object. If this flag is not set, the default group specified by the token (see section 2.5.3.4.1) is assigned.

 
Did you find this helpful?
(1500 characters remaining)
© 2013 Microsoft. All rights reserved.
|
Site Feedback
© 2013 Microsoft. All rights reserved.