SACL for a New Object

The system uses the following algorithm to build a SACL for most types of new securable objects:

  1. The object's SACL is the SACL from the security descriptor specified by the object's creator. The system merges any inheritable ACEs into the specified SACL unless the SE_SACL_PROTECTED bit is set in the security descriptor's control bits. SYSTEM_RESOURCE_ATTRIBUTE_ACEs and SYSTEM_SCOPED_POLICY_ID_ACEs from a parent object will be merged to a new object even if the SE_SACL_PROTECTED bit is set.
  2. If the creator does not specify a security descriptor, the system builds the object's SACL from inheritable ACEs.
  3. If there is no specified or inherited SACL, the object has no SACL.

To specify a SACL for a new object, the object's creator must have the SE_SECURITY_NAME privilege enabled. If the specified SACL for a new object contain only SYSTEM_RESOURCE_ATTRIBUTE_ACEs, then the SE_SECURITY_NAME privilege is not required. The creator does not need this privilege if the object's SACL is built from inherited ACEs.

The system uses a different algorithm to build a SACL for a new Active Directory object. For more information, see How Security Descriptors are Set on New Directory Objects.