Hardware Dev Center

SECURITY_DESCRIPTOR_CONTROL

The SECURITY_DESCRIPTOR_CONTROL type is a set of bit flags that qualify the meaning of a SECURITY_DESCRIPTOR structure or its components. Each security descriptor has a Control member that stores the SECURITY_DESCRIPTOR_CONTROL bits.

typedef USHORT SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL;

Remarks

The control value can include a combination of the following SECURITY_DESCRIPTOR_CONTROL bit flags:

ValueMeaning

SE_DACL_AUTO_INHERIT_REQ

Requests that the provider for the object protected by the security descriptor automatically propagate the DACL to existing child objects. If the provider supports automatic inheritance, it propagates the DACL to any existing child objects, and sets the SE_DACL_AUTO_INHERITED bit in the security descriptors of the object and its child objects.

SE_DACL_AUTO_INHERITED

Starting with Windows 2000, indicates a security descriptor in which the DACL supports automatic propagation of inheritable ACEs to existing child objects.

For Windows 2000 ACLs that support auto-inheritance, this bit is always set. It is used to distinguish these ACLs from Windows NT 4.0 ACLs that do not support auto-inheritance.

This bit is not set in security descriptors for Windows NT 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.

SE_DACL_DEFAULTED

Indicates a security descriptor with a default DACL. For example, if an object's creator does not specify a DACL, the object receives the default DACL from the creator's access token. This flag can affect how the system treats the DACL, with respect to ACE inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.

This flag is used to determine how the final DACL on the object is to be computed and is not stored physically in the security descriptor control of the securable object.

To set this flag, use RtlSetDaclSecurityDescriptor.

SE_DACL_PRESENT

Indicates a security descriptor that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the security descriptor allows full access to everyone.

This flag is used to hold the security information specified by a caller until the security descriptor is associated with a securable object. Once the security descriptor is associated with a securable object, the SE_DACL_PRESENT flag is always set in the security descriptor control.

To set this flag, use RtlSetDaclSecurityDescriptor.

SE_DACL_PROTECTED

Protects the DACL of the security descriptor from being modified by inheritable ACEs.

SE_DACL_UNTRUSTED

Indicates that the ACL pointed to by the DACL of the security descriptor was provided by an untrusted source. If this flag is set and a compound ACE is encountered, the system will substitute known valid SIDs for the server SIDs in the ACEs.

SE_GROUP_DEFAULTED

A default mechanism, rather than the original provider of the security descriptor, provided the security descriptor's group SID.

SE_OWNER_DEFAULTED

A default mechanism, rather than the original provider of the security descriptor, provided the security descriptor's owner security identifier (SID). To set this flag, use RtlSetOwnerSecurityDescriptor.

SE_RM_CONTROL_VALID

Indicates that the resource control manager bits in the security descriptor are valid. The resource manager control bits are eight bits in the Sbz1 member of the SECURITY_DESCRIPTOR structure that contains information specific to the resource manager accessing the structure. (For more information, see the Microsoft Windows Software Development Kit (SDK) for Windows 7 and .NET Framework 4.0 documentation.)

SE_SACL_AUTO_INHERIT_REQ

Requests that the provider for the object protected by the security descriptor automatically propagate the SACL to existing child objects. If the provider supports automatic inheritance, it propagates the SACL to any existing child objects, and sets the SE_SACL_AUTO_INHERITED bit in the security descriptors of the object and its child objects.

SE_SACL_AUTO_INHERITED

Indicates a security descriptor in which the SACL supports automatic propagation of inheritable ACEs to existing child objects. This bit is set only if the automatic inheritance algorithm has been performed for the object and its existing child objects.

This bit is not set in security descriptors for Windows NT 4.0 and earlier, which did not support automatic propagation of inheritable ACEs.

SE_SACL_DEFAULTED

A default mechanism, rather than the original provider of the security descriptor, provided the SACL. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set.

SE_SACL_PRESENT

Indicates a security descriptor that has a SACL.

SE_SACL_PROTECTED

Protects the SACL of the security descriptor from being modified by inheritable ACEs.

SE_SELF_RELATIVE

Indicates a security descriptor in self-relative format with all the security information in a contiguous block of memory. If this flag is not set, the security descriptor is in absolute format. For more information, see "Absolute and Self-Relative Security Descriptors" in the Windows SDK documentation.

SE_SERVER_SECURITY

Requests that the provider for the object protected by the security descriptor whose ACL should a server ACL based on the input ACL, regardless of its source (explicit or defaulting). This is done by replacing all of the GRANT ACEs with compound ACEs granting the current server. This flag is only meaningful if the subject is impersonating.

 

Requirements

Header

Ntifs.h (include Ntifs.h)

See also

ACE
ACL
RtlSetDaclSecurityDescriptor
RtlSetOwnerSecurityDescriptor
SECURITY_DESCRIPTOR

 

 

Send comments about this topic to Microsoft

Show:
© 2015 Microsoft