Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The system uses the following algorithm to build a SACL for most types of new securable objects:
- The object's SACL is the SACL from the security descriptor specified by the object's creator. The system merges any inheritable ACEs into the specified SACL unless the SE_SACL_PROTECTED bit is set in the security descriptor's control bits. SYSTEM_RESOURCE_ATTRIBUTE_ACEs and SYSTEM_SCOPED_POLICY_ID_ACEs from a parent object will be merged to a new object even if the SE_SACL_PROTECTED bit is set.
- If the creator does not specify a security descriptor, the system builds the object's SACL from inheritable ACEs.
- If there is no specified or inherited SACL, the object has no SACL.
To specify a SACL for a new object, the object's creator must have the SE_SECURITY_NAME privilege enabled. If the specified SACL for a new object contain only SYSTEM_RESOURCE_ATTRIBUTE_ACEs, then the SE_SECURITY_NAME privilege is not required. The creator does not need this privilege if the object's SACL is built from inherited ACEs.
The system uses a different algorithm to build a SACL for a new Active Directory object. For more information, see How Security Descriptors are Set on New Directory Objects.