EN
Ce contenu n’est pas disponible dans votre langue. Voici la version anglaise.

Win32_SecurityDescriptor class

The Win32_SecurityDescriptor abstract WMI class represents a SECURITY_DESCRIPTOR structure. A security descriptor contains the security information for a securable object. The Owner and Group properties identify the owner and primary group for the object. It can also contain a discretionary access control list (DACL) that controls access to the object and a system access control list (SACL) that controls the logging of attempts to access the object.

The following syntax is simplified from Managed Object Format (MOF) code, and includes all of the inherited properties.

Inheritance

Windows Server 2003:  Inherits from Win32_MethodParameterClass.

Syntax

class Win32_SecurityDescriptor : __SecurityDescriptor
{
  uint32        ControlFlags;
  Win32_ACE     DACL[];
  Win32_Trustee Group;
  Win32_Trustee Owner;
  Win32_ACE     SACL[];
};

Members

The Win32_SecurityDescriptor class has these types of members:

Properties

The Win32_SecurityDescriptor class has these properties.

ControlFlags
Data type: uint32
Access type: Read-only
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Control bits that qualify the meaning of a security descriptor (SD) or its individual members. See the Remarks section of this topic for information about setting the ControlFlags value. The following table lists the flags in ControlFlags. For more information, see SECURITY_DESCRIPTOR_CONTROL.

Name/bitmaskMeaning
SE_OWNER_DEFAULTED
1 (0x1)

Indicates an SD with a default owner security identifier (SID). Use this bit to find all of the objects that have default owner permissions set.

SE_GROUP_DEFAULTED
2 (0x2)

Indicates an SD with a default group SID. Use this bit to find all of the objects that have default group permissions set.

SE_DACL_PRESENT
4 (0x4)

Indicates an SD that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the SD allows full access to everyone.

SE_DACL_DEFAULTED
8 (0x8)

Indicates an SD with a default DACL. For example, if an object creator does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL, with respect to access control entry (ACE) inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.

SE_SACL_PRESENT
16 (0x10)

Indicates an SD that has a system access control list (SACL).

SE_SACL_DEFAULTED
32 (0x20)

Indicates an SD with a default SACL. For example, if an object creator does not specify an SACL, the object receives the default SACL from the access token of the creator. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set.

SE_DACL_AUTO_INHERIT_REQ
256 (0x100)

Requests that the provider for the object protected by the SD automatically propagate the DACL to existing child objects. If the provider supports automatic inheritance, the DACL is propagated to any existing child objects, and the SE_DACL_AUTO_INHERITED bit in the SD of the parent and child objects is set.

SE_SACL_AUTO_INHERIT_REQ
512 (0x200)

Requests that the provider for the object protected by the SD automatically propagate the SACL to existing child objects. If the provider supports automatic inheritance, the SACL is propagated to any existing child objects, and the SE_SACL_AUTO_INHERITED bit in the SDs of the parent object and child objects is set.

SE_DACL_AUTO_INHERITED
1024 (0x400)

Indicates an SD in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects.

SE_SACL_AUTO_INHERITED
2048 (0x800)

Indicates an SD in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects.

SE_DACL_PROTECTED
4096 (0x1000)

Prevents the DACL of an SD from being modified by inheritable ACEs.

SE_SACL_PROTECTED
8192 (0x2000)

Prevents the SACL of an SD from being modified by inheritable ACEs.

SE_SELF_RELATIVE
32768 (0x8000)

Indicates an SD in self-relative format with all the security information in a contiguous block of memory. If this flag is not set, the SD is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors.

 

DACL
Data type: Win32_ACE array
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Each array entry defines the type of object access that the system grants to a specific user or group. For more information about security for access control lists (ACL), see Access Control Lists and Creating a DACL.

Group
Data type: Win32_Trustee
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Group that owns this object.

Owner
Data type: Win32_Trustee
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Owner of an object.

SACL
Data type: Win32_ACE array
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Each array entry defines the type of access attempts that generate audit records for a specific user or group.

Remarks

The Win32_SecurityDescriptor class is derived from Win32_MethodParameterClass.

The values in ControlFlags affect the elements of the descriptor that WMI writes to a new SD in methods such as Win32_SecuritySetting.SetSecurityDescriptor. Some of the flags, such as SE_GROUP_DEFAULTED or SE_SACL_DEFAULTED indicate that a part of the SD is a default value. For example, Active Directory may have default SDs for all types of objects. When a new object is created, the default owner, group, DACL, and SACL are applied. If a system-wide change must be made to the defaults, the system administrator can find all of the objects with defaults by locating the objects that have the default flags set.

If the SE_DACL_PRESENT bit is specified and a DACL entry is also present in the call to SetSecurityDescriptor, then an empty DACL is written to the new security descriptor. To provide better security, WMI does not write a NULL DACL when SE_DACL_PRESENT is set but a parameter is not supplied, because a NULL DACL gives everyone full access to the object. For more information, see Creating a DACL.

The ControlFlags property contains individual bit positions, which indicate that specific flags are set. You can combine these flags by adding the associated values. For example, to specify both SE_DACL_PRESENT and SE_DACL_AUTO_INHERITED you add the associated values 4 and 1024 to make the value of the ControlFlags property 1028.

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2003

Namespace

\root\CIMV2

MOF

Secrcw32.mof

DLL

CIMWin32.dll

See also

Operating System Classes
WMI Security Descriptor Objects
Maintaining WMI Security
Changing Access Security on Securable Objects

 

 

Afficher:
© 2014 Microsoft