SetSD method

SetSD method of the __SystemSecurity class

The SetSD method sets the security descriptor for the namespace to which a user is connected. This method requires a security descriptor in binary byte array format. If you are writing a script, use the SetSecurityDescriptor method. For more information, see Securing WMI Namespaces and Changing Access Security on Securable Objects.

If you are programming in C++, you can manipulate the binary security descriptor using SDDL, and the conversion methods ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.

A user must have the WRITE_DAC permission, and by default, an administrator has that permission. The only part of the security descriptor that is used is the noninherited access control entry (ACE) in the discretionary access control list (DACL). By setting the CONTAINER_INHERIT flag in the ACEs, the security descriptor affects child namespaces. Both allow and deny ACEs are permitted.

Note  Because deny and allow ACEs are both permitted in a DACL, the order of ACEs is important. For more information, see Ordering of ACEs in a DACL.


  [in] uint8 SD[]


SD [in]

Byte array that makes up the security descriptor.

Return value

Returns an HRESULT that indicates the status of a method call. For scripting and Visual Basic applications, the result can be obtained from OutParameters.ReturnValue. For more information, see Constructing InParameters Objects and Parsing OutParameters Objects.

Windows Server 2003:  WMI does not use security descriptor definition strings (SDDL). You also cannot use a Win32_SecurityDescriptor object or any of its component classes, such as Win32_ACE, to change the security descriptor.

The following table lists the return values that are significant to SetSD.

Return codeDescription

Method executed successfully.


Caller does not have sufficient rights to call this method.


Attempted to run this method on OS that does not support it.


SD does not pass basic validity tests.


SD is not valid due to one of the following:

  • DACL is missing.
  • DACL is not valid.
  • ACE has the WBEM_FULL_WRITE_REP flag set, and the WBEM_PARTIAL_WRITE_REP or WBEM_WRITE_PROVIDER flag is not set.
  • ACE has the INHERIT_ONLY_ACE flag set without the CONTAINER_INHERIT_ACE flag.
  • ACE has an unknown access bit set.
  • ACE has a flag set that is not in the table.
  • ACE has a type that is not in the table.
  • The owner and group are missing from the SD.

For more information about the access control entry (ACE) flags, see WMI Security Constants.



For more information about modifying namespace security programmatically or manually, see Securing WMI Namespaces.


The following script shows how to use SetSD to set the namespace security descriptor for the root namespace and change it to the byte array shown in strSD.

' Hard-coded security descriptor
strSD = array( 1, 0, 4,129,72, 0, 0, 0, _ 
              88, 0, 0,  0, 0, 0, 0, 0, _
              20, 0, 0,  0, 2, 0,52, 0, _
               2, 0, 0,  0, 0, 2,24, 0, _
              63, 0, 6,  0, 1, 2, 0, 0, _
               0, 0, 0,  5,32, 0, 0, 0, _
              32, 2, 0,  0, 0, 2,20, 0, _
              63, 0, 6,  0, 1, 1, 0, 0, _
               0, 0, 0,  1, 0, 0, 0, 0, _
               1, 2, 0,  0, 0, 0, 0, 5, _
              32, 0, 0,  0,32, 2, 0, 0, _
               1, 2, 0,  0, 0, 0, 0, 5, _
              32, 0, 0,  0,32, 2, 0, 0)

' Connect to WMI and the root namespace.
Set oSvc = CreateObject( _
                         "WbemScripting.SWbemLocator"). _

' Get the single __SystemSecurity object in this namespace.
Set oSecurity = oSvc.Get("__SystemSecurity=@")

' Change the namespace security.
nReturn = oSecurity.SetSD(strSD)
WScript.Echo "ReturnValue " & nReturn

The following C# code sample uses the System.Security.AccessControl.RawSecurityDescriptor to enumerate, insert and remove new CommonAce objects in RawSecurityDescriptor.DiscretionaryAcl and then convert it back to an byte array to save it via SetSD. An SecurityIdentifier can be retrieved by using NTAccount and Translate.

 byte[] sdValueByteArray = new Byte[0];

            string accountName = "My User or Group";

            AceFlags aceFlags = AceFlags.ContainerInherit;

            int accessRights = 131107; // Search for Namespace Access Rights Constants and build an Flags enum

            RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(sdValueByteArray, 0);

            NTAccount ntAccount = new NTAccount(accountName);

            IdentityReference identityReference = ntAccount.Translate(typeof(SecurityIdentifier));

            if (identityReference == null)


                string message = string.Format("The IdentityReference of NTAccount '{0}' is null.", accountName);

                throw new Exception(message);


            SecurityIdentifier securityIdentifier = identityReference as SecurityIdentifier;

            if (securityIdentifier == null)


                string message = "The IdentityReference of NTAccount '{0}' is not an SecurityIdentifier.";

                throw new Exception(message);


            CommonAce commonAce;

            foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl)


                commonAce = genericAce as CommonAce;

                if (commonAce == null)




                if (commonAce.SecurityIdentifier.Value.Equals(securityIdentifier.Value, StringComparison.OrdinalIgnoreCase))





            commonAce = new CommonAce(aceFlags, AceQualifier.AccessAllowed, (int)accessRights, securityIdentifier, false, null);

            rawSecurityDescriptor.DiscretionaryAcl.InsertAce(rawSecurityDescriptor.DiscretionaryAcl.Count, commonAce);


Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2003


All WMI namespaces

See also

WMI System Classes
WMI Security Constants
Securing WMI Namespaces



© 2016 Microsoft