Security Descriptor


Security Descriptor (NT-Sec-Desc) is component of the Access Control Model-Microsoft Windows that contains security information specified when it is created, or default security information if none is specified.

Security Descriptor can be modified after creation.

Security Descriptor structure is a compact binary representation of the security associated with an object in a Microsoft Active Directory or Microsoft Windows as on a File System, or in other Data Stores.

Security Descriptor is not, however, convenient for use in tools that operate primarily on text strings. Therefore, a text-based form of the Security Descriptor is available for situations when a Security Descriptor must be carried by a text method. This format is the Security Descriptor Description Language (SDDL)

Security Descriptor components#

A security descriptor includes information that specifies the following components of an object's security:

An ACL contains a list of Access Control Entry (ACEs). Each Access Control Entry specifies a set of access permissions and contains a Security Identifier (SID) that identifies a trustee for whom the permissions are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.

More Information#

There might be more information for this subject on one of the following: