Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

6 Appendix B: Product Behavior

Note: Some of the information in this section is subject to change because it applies to an unreleased, preliminary version of the Windows Server operating system, and thus may differ from the final version of the server software when released. All behavior notes that pertain to the unreleased, preliminary version of the Windows Server operating system contain specific references to Windows Server 2016 Technical Preview as an aid to the reader.

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 Technical Preview operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 2.1: Windows is implemented on little-endian systems.

<2> Section 2.3.8: Windows implementations access the Value field with non-standard string functions to add or extract strings from the buffer. If standard C conventions were followed, the Value datatype would nominally be wchar_t**.

<3> Section 2.4.1: Only Windows Server 2012 and Windows Server 2012 R2, Kerberos KDCs support this value.

<4> Section 2.4.1: Only Windows Server 2012 and Windows Server 2012 R2, Kerberos KDCs support this value for protocol transition (S4U2Self)-based service tickets

<5> Section 2.4.2.4: Not supported in Windows NT,  Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2012 operating system, and Windows Server 2008 R2.

<6> Section 2.4.2.4: Not supported by Windows 2000.

<7> Section 2.4.2.4: Not supported by Windows 2000.

<8> Section 2.4.2.4: Not supported by Windows 2000.

<9> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. The DC adds this SID:

  • When the user is a member of the forest.

  • When the user is not a member of the forest and the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is not set.

<10> Section 2.4.2.4: The COMPOUNDED_AUTHENTICATION SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<11> Section 2.4.2.4: The CLAIMS_VALID SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<12> Section 2.4.2.4: Supported by Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<13> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 operating system, and Windows Server 2012.

<14> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<15> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<16> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<17> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<18> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<19> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<20> Section 2.4.2.4: A new local group is created for Windows Server 2003 operating system with Service Pack 1 (SP1), Windows Server 2003 operating system with Service Pack 2 (SP2), Windows Server 2003 operating system with Service Pack 3 (SP3), Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<21> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<22> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<23> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<24> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Supported by Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.

<25> Section 2.4.2.4: The THIS_ORGANIZATION_CERTIFICATE SID is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<26> Section 2.4.2.4: Supported only in Windows 8.1, Windows Server 2012 R2,  Windows 10, and Windows Server 2016 Technical Preview.

<27> Section 2.4.2.4: Supported only in Windows 8.1, Windows Server 2012 R2,  Windows 10, and Windows Server 2016 Technical Preview.

<28> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. When the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is set:

  • If the forest boundary is crossed, Windows domain controllers add this SID.

  • If Windows domain controllers receive requests to authenticate to resources in their domain, they check the computer object to ensure that this SID is allowed. In Windows, by default this applies to NTLM (as specified in [MS-NLMP] and [MS-APDS]), to Kerberos (as specified in [MS-KILE] and [MS-APDS]), and to TLS (as specified in [MS-TLSP] and [MS-SFU]).

<29> Section 2.4.2.4: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<30> Section 2.4.2.4: In Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview, only Kerberos KDCs provide this SID.

<31> Section 2.4.2.4: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

<32> Section 2.4.2.4: In Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview, only Kerberos KDCs provide this SID for protocol transition (S4U2Self) based service tickets.

<33> Section 2.4.4.1: Windows NT 4.0 operating system: Not supported.

<34> Section 2.4.4.1: Windows NT 4.0: Not supported.

<35> Section 2.4.4.1: Windows NT 4.0: Not supported.

<36> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<37> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<38> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<39> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<40> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<41> Section 2.4.4.1: Callback in this context relates to the local-only AuthzAccessCheck function, as described in [MSDN-AuthzAccessCheck].

<42> Section 2.4.4.1: Windows NT 4.0: Not supported.

<43> Section 2.4.4.13: This construct is supported only by Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<44> Section 2.4.4.17: Conditional ACEs are only supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<45> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<46> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<47> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<48> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<49> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<50> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<51> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<52> Section 2.4.4.17.6: Only Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview support @Prefixed form.

<53> Section 2.4.4.17.6: Windows implementations do not set this flag by default.

<54> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the LHS MUST be an attribute name in simple form and RHS must be a single literal value. Evaluates to TRUE if the set of values for the specified LHS includes a value identical to the specified literal; otherwise, FALSE.

<55> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the RHS MUST be either a list of literals or a single literal value. Evaluates to TRUE if the LHS is a superset of the value of the specified RHS; otherwise, FALSE.

<56> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<57> Section 2.4.4.17.6: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<58> Section 2.4.4.17.7: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<59> Section 2.4.5: This is applicable for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<60> Section 2.4.6: Windows typically presents the target fields in this order: Sacl, Dacl, OwnerSid, GroupSid.

<61> Section 2.4.6: Windows sets Sbz1 to zero for Windows resources.

<62> Section 2.4.6: This field is intended only for use by the POSIX subsystem and is otherwise ignored by the Windows access control components.

<63> Section 2.4.10.1: These values are only supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. They are ignored by the access check algorithm (section 2.5.3.2).

<64> Section 2.4.10.1: These values are only supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<65> Section 2.4.10.2: Supported only in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<66> Section 2.5.1: SDDL was introduced in Windows 2000.

<67> Section 2.5.1.1: GUIDs are only supported on Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<68> Section 2.5.1.1: For the domain built-in ADMINISTRATOR (S-1-5-21-<domain>-500), Windows passes the actual SID, not the "LA" token. Reporting tools may convert this back to a token when examining the SDDL.

<69> Section 2.5.1.1: Not all conditional ACE types are supported in the SDDL. Only the conditional ACE types ACE ACCESS_ALLOWED_CALLBACK_ACE and ACCESS_DENIED_CALLBACK_ACE are supported in Windows 7 and Windows Server 2008 R2. The ACCESS_ALLOWED_CALLBACK_ACE, ACCESS_DENIED_CALLBACK_ACE, ACCESS_ALLOWED_CALLBACK_OBJECT_ACE, and SYSTEM_AUDIT_CALLBACK_ACE types are supported only in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<70> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<71> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<72> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<73> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<74> Section 2.5.1.1: Only "Member_of" is supported in Windows 7 and Windows Server 2008 R2. "Member_of", "Not_Member_of", "Member_of_Any", "Not_Member_of_Any", "Device_Member_of", "Device_Member_of_Any", "Not_Device_Member_of", and "Not_Device_Member_of_Any" are supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<75> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<76> Section 2.5.1.1: Not_Contains is supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<77> Section 2.5.1.1: Not_Any is supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<78> Section 2.5.1.1: Use of the @ symbol in the simple form is supported only in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<79> Section 2.5.1.1: Supported in Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview only.

<80> Section 2.5.2: For Windows 2000, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview, the policy is that OwnerIndex is always the same as UserIndex, except for members of the local Administrators group, in which case the OwnerIndex is set to the index for the SID representing the Administrators group. For Windows XP and Windows Server 2003, there is a policy that allows the OwnerIndex to be the UserIndex under all conditions.

<81> Section 2.5.3.1.4: An implementation-specific local recovery policy is a central access policy that allows the implementation itself, and the authorities that manage it, access to the resource being protected in disaster recovery scenarios. The Windows local recovery policy ensures administrators and the system have access to resources while Windows is booted in safe mode.

<82> Section 2.5.3.3: The Windows integrity mechanism extension is supported in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<83> Section 2.5.3.4: Assigning the owner and group fields in the security descriptor must follow the following logic:

  1. If the security descriptor that is supplied for the object by the caller includes an owner, it is assigned as the owner of the new object. Otherwise, if the DEFAULT_OWNER_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same owner as the parent object. If this flag is not set, the default owner specified by the token (see section 2.5.3.4.1) is assigned.

  2. If the security descriptor that is supplied for the object by the caller includes a group, it is assigned as the group of the new object. Otherwise, if the DEFAULT_GROUP_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same primary group as the parent object. If this flag is not set, the default group specified by the token (see section 2.5.3.4.1) is assigned.

Show:
© 2015 Microsoft