6 Appendix B: Product Behavior

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.1: Windows is implemented on little-endian systems.

<2> Section 2.3.8: Windows implementations access the Value field with non-standard string functions to add or extract strings from the buffer. If standard C conventions were followed, the Value datatype would nominally be wchar_t**.

<3> Section 2.4.1: Only Windows Server 2012 and Windows Server 2012 R2, Kerberos KDCs support this value.

<4> Section 2.4.1: Only Windows Server 2012 and Windows Server 2012 R2, Kerberos KDCs support this value for protocol transition (S4U2Self)-based service tickets

<5> Section 2.4.2.4: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2012 operating system, and Windows Server 2008 R2.

<6> Section 2.4.2.4: Not supported by Windows 2000.

<7> Section 2.4.2.4: Not supported by Windows 2000.

<8> Section 2.4.2.4: Not supported by Windows 2000.

<9> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. The DC adds this SID:

  • When the user is a member of the forest.

  • When the user is not a member of the forest and the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is not set.

<10> Section 2.4.2.4: The COMPOUNDED_AUTHENTICATION SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<11> Section 2.4.2.4: The CLAIMS_VALID SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<12> Section 2.4.2.4: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012.

<13> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 operating system, and Windows Server 2012.

<14> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<15> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<16> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<17> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<18> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<19> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<20> Section 2.4.2.4: A new local group is created for Windows Server 2003 operating system with Service Pack 1 (SP1), Windows Server 2003 operating system with Service Pack 2 (SP2), Windows Server 2003 operating system with Service Pack 3 (SP3), Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<21> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<22> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<23> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<24> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<25> Section 2.4.2.4: The THIS_ORGANIZATION_CERTIFICATE SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<26> Section 2.4.2.4: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012.

<27> Section 2.4.2.4: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012.

<28> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. When the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is set:

  • If the forest boundary is crossed, Windows domain controllers add this SID.

  • If Windows domain controllers receive requests to authenticate to resources in their domain, they check the computer object to ensure that this SID is allowed. In Windows, by default this applies to NTLM (as specified in [MS-NLMP] and [MS-APDS]), to Kerberos (as specified in [MS-KILE] and [MS-APDS]), and to TLS (as specified in [MS-TLSP] and [MS-SFU]).

<29> Section 2.4.2.4: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<30> Section 2.4.2.4: In Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016, only Kerberos KDCs provide this SID.

<31> Section 2.4.2.4: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<32> Section 2.4.2.4: In Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016, only Kerberos KDCs provide this SID for protocol transition (S4U2Self) based service tickets.

<33> Section 2.4.2.4:  Only Kerberos KDCs provide this SID for tickets based on [IETFDRAFT-PK-FRESH]. FRESH_PUBLIC_KEY_IDENTITY is not supported in Windows NT, Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<34> Section 2.4.2.4:  Only Kerberos KDCs provide this SID when key trust attributes are used for validation. KEY_TRUST_ IDENTITY is not supported in Windows NT, Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<35> Section 2.4.2.4:  Only Kerberos KDCs provide this SID when key trust attributes for MFA is true. KEY_PROPERTY_MFA is not supported in Windows NT, Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<36> Section 2.4.2.4:  Only Kerberos KDCs provide this SID when key trust attributes for attestation is true. KEY_PROPERTY_ATTESTATION is not supported in Windows NT, Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

<37> Section 2.4.4.1: Windows NT 4.0 operating system: Not supported.

<38> Section 2.4.4.1: Windows NT 4.0: Not supported.

<39> Section 2.4.4.1: Windows NT 4.0: Not supported.

<40> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<41> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<42> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<43> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<44> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<45> Section 2.4.4.1: Callback in this context relates to the local-only AuthzAccessCheck function, as described in [MSDN-AuthzAccessCheck].

<46> Section 2.4.4.1: Windows NT 4.0: Not supported.

<47> Section 2.4.4.13: This construct is not supported by Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<48> Section 2.4.4.17: Conditional ACEs are not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<49> Section 2.4.4.17.6: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<50> Section 2.4.4.17.6: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<51> Section 2.4.4.17.6: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<52> Section 2.4.4.17.6: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<53> Section 2.4.4.17.6: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<54> Section 2.4.4.17.6: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<55> Section 2.4.4.17.6: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<56> Section 2.4.4.17.6: The @Prefixed form is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<57> Section 2.4.4.17.6: Windows implementations do not set this flag by default.

<58> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the LHS is an attribute name in simple form and RHS is a single literal value. Evaluates to TRUE if the set of values for the specified LHS includes a value identical to the specified literal; otherwise, FALSE.

<59> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the RHS is either a list of literals or a single literal value. Evaluates to TRUE if the LHS is a superset of the value of the specified RHS; otherwise, FALSE.

<60> Section 2.4.4.17.6: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<61> Section 2.4.4.17.6: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<62> Section 2.4.4.17.7: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<63> Section 2.4.5: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<64> Section 2.4.6: Windows typically presents the target fields in this order: Sacl, Dacl, OwnerSid, GroupSid.

<65> Section 2.4.6: Windows sets Sbz1 to zero for Windows resources.

<66> Section 2.4.6: This field is intended only for use by the POSIX subsystem and is otherwise ignored by the Windows access control components.

<67> Section 2.4.10.1: These values are not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<68> Section 2.4.10.1: These values are not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<69> Section 2.4.10.1:  This value is ignored by Windows when set on a security descriptor.

<70> Section 2.4.10.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<71> Section 2.5.1: SDDL was introduced in Windows 2000.

<72> Section 2.5.1.1: GUIDs are not supported on Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<73> Section 2.5.1.1: For the domain built-in ADMINISTRATOR (S-1-5-21-<domain>-500), Windows passes the actual SID, not the "LA" token. Reporting tools might convert this back to a token when examining the SDDL.

<74> Section 2.5.1.1: Not all conditional ACE types are supported in the SDDL. The conditional ACE types ACCESS_ALLOWED_CALLBACK_ACE and ACCESS_DENIED_CALLBACK_ACE are not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008. The conditional ACE types ACCESS_ALLOWED_CALLBACK_OBJECT_ACE and SYSTEM_AUDIT_CALLBACK_ACE are not supported in Windows 7 and Windows Server 2008 R2.

<75> Section 2.5.1.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<76> Section 2.5.1.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<77> Section 2.5.1.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<78> Section 2.5.1.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<79> Section 2.5.1.1: Only "Member_of" is supported in Windows 7 and Windows Server 2008 R2. "Member_of", "Not_Member_of", "Member_of_Any", "Not_Member_of_Any", "Device_Member_of", "Device_Member_of_Any", "Not_Device_Member_of", and "Not_Device_Member_of_Any" are supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016.

<80> Section 2.5.1.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<81> Section 2.5.1.1: Not_Contains is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<82> Section 2.5.1.1: Not_Any is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<83> Section 2.5.1.1: Use of the @ symbol in the simple form is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<84> Section 2.5.1.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

<85> Section 2.5.2: For Windows 2000, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016, the policy is that OwnerIndex is always the same as UserIndex, except for members of the local Administrators group, in which case the OwnerIndex is set to the index for the SID representing the Administrators group. For Windows XP and Windows Server 2003, there is a policy that allows the OwnerIndex to be the UserIndex under all conditions.

<86> Section 2.5.3.1.4: An implementation-specific local recovery policy is a central access policy that allows the implementation itself, and the authorities that manage it, access to the resource being protected in disaster recovery scenarios. The Windows local recovery policy ensures administrators and the system have access to resources while Windows is booted in safe mode.

<87> Section 2.5.3.3: The Windows integrity mechanism extension is not supported in Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<88> Section 2.5.3.4: Assigning the owner and group fields in the security descriptor uses the following logic:

  1. If the security descriptor that is supplied for the object by the caller includes an owner, it is assigned as the owner of the new object. Otherwise, if the DEFAULT_OWNER_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same owner as the parent object. If this flag is not set, the default owner specified by the token (see section 2.5.3.4.1) is assigned.

  2. If the security descriptor that is supplied for the object by the caller includes a group, it is assigned as the group of the new object. Otherwise, if the DEFAULT_GROUP_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same primary group as the parent object. If this flag is not set, the default group specified by the token (see section 2.5.3.4.1) is assigned.

Show: