Security Descriptor


Security Descriptor (NT-Sec-Desc or nTSecurityDescriptor) is component of the Access Control Model-Microsoft Windows that contains security information specified when it is created, or default security information if none is specified.

Security Descriptor is on every Securable object and is pre-defined for the Object type or it can be modified ONLY after creation.

Security Descriptor structure is a compact binary representation for the security associated with a Securable object such as a Microsoft Active Directory or Microsoft Windows as on a File System.

Security Descriptor is not, however, convenient for use in tools that operate primarily on text strings. Therefore, a text-based form of the Security Descriptor is available for situations when a Security Descriptor must be carried by a text method. This format is the Security Descriptor Description Language (SDDL)

Security Descriptor components#

A security descriptor includes information that specifies the following components of an object's security:

An ACL contains a list of Access Control Entry (ACEs). Each Access Control Entry specifies a set of access permissions and contains a Security Identifier (SID) that identifies a trustee for whom the permissions are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.

Security Descriptor maybe modified or read using LDAP by making use of the LDAP_SERVER_SD_FLAGS_OID SupportedControl

More Information#

There might be more information for this subject on one of the following: