Overview#Security Descriptor (NT-Sec-Desc) is component of the Access Control Model-Microsoft Windows that contains security information specified when it is created, or default security information if none is specified.
Security Descriptor can be modified after creation.
Security Descriptor structure is a compact binary representation of the security associated with an object in a Microsoft Active Directory or Microsoft Windows as on a File System, or in other Data Stores.
Security Descriptor is not, however, convenient for use in tools that operate primarily on text strings. Therefore, a text-based form of the Security Descriptor is available for situations when a Security Descriptor must be carried by a text method. This format is the Security Descriptor Description Language (SDDL)
Security Descriptor components#A security descriptor includes information that specifies the following components of an object's security:
- An owner Security Identifier (SID)
- A primary group SID
- A Discretionary Access Control List (DACL)
- A System Access Control List (SACL)
- Qualifiers for the preceding items
An ACL contains a list of Access Control Entry (ACEs). Each Access Control Entry specifies a set of access permissions and contains a Security Identifier (SID) that identifies a trustee for whom the permissions are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.