6.1.3 Security Descriptor Requirements

Constants

  • LDAP constants: LDAP_SERVER_SD_FLAGS_OID.

  • SD flags: OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION, DACL_SECURITY_INFORMATION, SACL_SECURITY_INFORMATION, SECURITY_PRIVATE_OBJECT.

  • Security access mask bits and privileges: SE_RESTORE_PRIVILEGE, RIGHT_WRITE_DAC, RIGHT_WRITE_OWNER, ACCESS_SYSTEM_SECURITY, SE_GROUP_OWNER, SE_GROUP_USE_FOR_DENY_ONLY.

  • Security descriptor values stored in Active Directory are in SECURITY_DESCRIPTOR format (see [MS-DTYP] section 2.4.6). In addition to the defined fields, the RM Control (Resource Manager Control) field is used. It is stored in the Sbz1 byte of the SECURITY_DESCRIPTOR structure. The SECURITY_PRIVATE_OBJECT bit (0x01) might be present in the field.

  • Error codes: ERROR_INVALID_OWNER.

The following requirements apply to SDs that are maintained by a DC:

  1. Each object's SD retains the set of explicit (noninherited) ACEs stamped in its DACL and SACL (if present). It also retains the owner and group SID values as well as various SD flags (see SD reference [MS-DTYP] section 2.4.6). The owner SID cannot be NULL, while the group SID can be NULL.

  2. The SD also includes the set of inheritable ACEs from its parent object. It includes both applicable and nonapplicable inheritable ACEs. The following exceptions apply to the preceding rule:

    1. The object is the root of an NC. In this case, the SD does not include any inherited ACEs.

    2. If the ACL (either DACL or SACL) has the "protected from inheritance" flag set. In this case, the ACL does not include inheritable ACEs from the parent object's SD.

    3. The object is deleted. In this case, the set of inheritable ACEs that were obtained from the parent object's SD at the time of object deletion is retained.

  3. When the forest functional level is DS_BEHAVIOR_WIN2003 or above and the fDontStandardizeSDs heuristic is FALSE (section 6.1.1.2.4.1.2), then the ACEs in the ACLs are sorted according to ACE ordering rules (see the following ACE ordering rules section). Otherwise, if the forest functional level is less than DS_BEHAVIOR_WIN2003, the order of explicit ACEs supplied by the client is preserved.

  4. The ACEs with the inheritedObjectType field present are marked as effective or ineffective by setting the INHERIT_ONLY_ACE flag. The INHERIT_ONLY_ACE flag identifies an ineffective ACE, which does not control access to the object to which it is attached. If this flag is not set, the ACE is an effective ACE, which controls access to the object to which it is attached. This flag is set according to SD merge rules (see the CreateSecurityDescriptor algorithm in [MS-DTYP] section 2.5.3.4.1), based on the current value of the object's objectClass attribute. Specifically, the following objectClass values are considered when processing inheritable ACEs from the parent's SD: the most specific structural objectClass value, as well as all dynamic auxiliary class values. The static auxiliary classes and non–most specific object classes are not considered. For example, in Active Directory schema, computer objects have the following objectClass values: top, person, organizationalPerson, user, and computer. In this case, only the computer class has to be considered for inheritance processing. For inheritance processing, each effective objectClass value is converted to the GUID (as per schema mapping object classes to GUIDs; see Schema (section 3.1.1.3.1.1)) and supplied as an input to the SD merge routine.

  5. In order to compute the resultant SD value for an object, the CreateSecurityDescriptor algorithm ([MS-DTYP] section 2.5.3.4.1) is invoked with the following input parameters:

    1. ParentDescriptor: If the object is NC root, then NULL; otherwise, the SD value of the parent object.

    2. CreatorDescriptor: The current SD value stamped on the object. When an LDAP add operation is performed and no SD value is supplied, the SD value is first defaulted according to the rules specified in sections 6.1.3.6 and 6.1.3.7.

    3. IsContainerObject: TRUE is always passed.

    4. AutoInheritFlags: DACL_AUTO_INHERIT | SACL_AUTO_INHERIT.

    5. Token: When processing an originating SD write, the security information of the requester is used. Otherwise, SYSTEM security information is used; note that, in the case of auto-propagation into children, the information from the token is never used, because all required SD parts are always present and there is nothing that needs to be defaulted.

    6. GenericMapping: The following mapping table is used for all Active Directory SD operations:

      • GENERIC_READ_MAPPING = RIGHT_READ_CONTROL | RIGHT_DS_LIST_CONTENTS | RIGHT_DS_READ_PROPERTY | RIGHT_DS_LIST_OBJECT

      • GENERIC_WRITE_MAPPING = RIGHT_READ_CONTROL | RIGHT_DS_WRITE_PROPERTY_EXTENDED | RIGHT_DS_WRITE_PROPERTY

      • GENERIC_EXECUTE_MAPPING = RIGHT_READ_CONTROL | RIGHT_DS_LIST_CONTENTS

      • GENERIC_ALL_MAPPING = RIGHT_DELETE | RIGHT_READ_CONTROL | RIGHT_WRITE_DAC | RIGHT_WRITE_OWNER | RIGHT_DS_CREATE_CHILD | RIGHT_DS_DELETE_CHILD | RIGHT_DS_DELETE_TREE | RIGHT_DS_READ_PROPERTY | RIGHT_DS_WRITE_PROPERTY | RIGHT_DS_LIST_CONTENTS | RIGHT_DS_LIST_OBJECT | RIGHT_DS_CONTROL_ACCESS | RIGHT_DS_WRITE_PROPERTY_EXTENDED

  6. Any CREATOR/OWNER ineffective ACE has a matching effective ACE granted to the current owner of the object (as obtained from the SD OWNER field).

  7. NULL DACLs are disallowed.