Security Descriptor


Security Descriptor (NT-Sec-Desc) is component of the Access Control Model-Microsoft Windows that contains security information specified when it is created, or default security information if none is specified.

Security Descriptor can be modified ONLY after creation.

Security Descriptor structure is a compact binary representation of the security associated with an object in a Microsoft Active Directory or Microsoft Windows as on a File System, or in other Data Stores.

Security Descriptor is not, however, convenient for use in tools that operate primarily on text strings. Therefore, a text-based form of the Security Descriptor is available for situations when a Security Descriptor must be carried by a text method. This format is the Security Descriptor Description Language (SDDL)

Security Descriptor components#

A security descriptor includes information that specifies the following components of an object's security:

An ACL contains a list of Access Control Entry (ACEs). Each Access Control Entry specifies a set of access permissions and contains a Security Identifier (SID) that identifies a trustee for whom the permissions are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.

Security Descriptor maybe modified or read using LDAP by making use of the LDAP_SERVER_SD_FLAGS_OID SupportedControl

More Information#

There might be more information for this subject on one of the following: