<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([1.2.840.113556.1.4.801]) is a [SupportedControl] for [Microsoft Active Directory] and used is used with an [LDAP] [SearchRequest] to control the portion of a Windows [Security Descriptor] to retrieve. 

Typically a [Domain Controller] returns only the specified portion of the [Security Descriptor]. It is also used with [LDAP] [Add Request] and [Modify Request] to control the portion of a Windows security descriptor to modify. 

When sending this control to the DC, the controlValue field is set to the [BER] encoding of the following [ASN.1] structure.
{{{SDFlagsRequestValue ::= SEQUENCE {
     Flags    INTEGER
}
}}}
The value of the control is an [integer], which is used to identify which [Security Descriptor] (SD) parts the client intends to read or modify. When the control is not specified, the default value of 15 (0x0000000F) is used.

The [Security Descriptor] parts are identified using the following [bit] values: 
* [OWNER_SECURITY_INFORMATION]
* [GROUP_SECURITY_INFORMATION]
* [DACL_SECURITY_INFORMATION]
* [SACL_SECURITY_INFORMATION]

If the [{$pagename}] control is present in an LDAP [SearchRequest], the server returns an [Security Descriptor] with the parts specified in the control when:
* the [Security Descriptor] [attribute] name is explicitly mentioned in the requested attribute list
* the requested attribute list is empty
* all attributes are requested ([RFC 2251] section 4.5.1). 
Without the presence of this control, the server returns an [Security Descriptor] only when the [Security Descriptor] [attribute] name is explicitly mentioned in the requested attribute list.

For [Modify Request] operations, the bits identify which [Security Descriptor] parts are affected by the operation. 

%%warning
The client might supply values for other (or all) [Security Descriptor] fields. However, the server only updates the fields that are identified by the [{$pagename}] control. The remaining fields are ignored.\\ 
%%

%%warning
When performing an [LDAP] [Add Request] operation, the client can supply an [Security Descriptor] flags control with the operation; however, it __will be ignored by the server__.
%%

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [3.1.1.3.4.1.11 LDAP_SERVER_SD_FLAGS_OID|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3888c2b7-35b9-45b7-afeb-b772aa932dd0|target='_blank'] - based on information obtained 2019-02-28- 
* [#2] - [6.1.3.2 SD Flags Control|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/932a7a8d-8c93-4448-8093-c79b7d9ba499|target='_blank'] - based on information obtained 2019-02-28- 












































































































































































































</pre>