Appendix K: Default Settings in the Master Security Descriptor of the AdminSDHolder Object

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This appendix provides the default settings in the master security descriptor of the AdminSDHolder object for Windows 2000 and Windows Server 2003.

Default Setting in the Master Security Descriptor of the AdminSDHolder Object for Windows 2000 Server

Type Name Permission Apply To

Allow

Administrators
  • List Contents

  • Read All Properties

  • Write All Properties

  • Delete

  • Read Permissions

  • Modify Permissions

  • Modify Owner

  • All Validated Writes

  • All Extended Rights

  • Create All Child Objects

  • Delete All Child Objects

This object only

Allow

Authenticated Users
  • List Contents

  • Read All Properties

  • Read Permissions

This object only

Allow

Domain Admins
  • List Contents

  • Read All Properties

  • Write All Properties

  • Read Permissions

  • Modify Permissions

  • Modify Owner

  • All Validated Writes

  • All Extended Rights

  • Create All Child Objects

  • Delete All Child Objects

This object only

Allow

Enterprise Admins
  • List Contents

  • Read All Properties

  • Write All Properties

  • Read Permissions

  • Modify Permissions

  • Modify Owner

  • All Validated Writes

  • All Extended Rights

  • Create All Child Objects

  • Delete All Child Objects

This object only

Allow

Everyone
  • Change Password

This object only

Allow

Pre–Windows 2000 Compatible Access
  • List Contents

  • Read All Properties

  • Read Permissions

User objects

Allow

SYSTEM
  • Full Control

This object only

Default Setting in the Master Security Descriptor of the AdminSDHolder Object for Windows Server 2003

Type Name Permission Apply To

Allow

Administrators
  • List Contents

  • Read All Properties

  • Write All Properties

  • Delete

  • Read Permissions

  • Modify Permissions

  • Modify Owner

  • All Validated Writes

  • All Extended Rights

  • Create All Child Objects

  • Delete All Child Objects

This object only

Allow

Authenticated Users
  • List Contents

  • Read All Properties

  • Read Permissions

This object only

Allow

Domain Admins
  • List Contents

  • Read All Properties

  • Write All Properties

  • Read Permissions

  • Modify Permissions

  • Modify Owner

  • All Validated Writes

  • All Extended Rights

  • Create All Child Objects

  • Delete All Child Objects

This object only

Allow

Enterprise Admins
  • List Contents

  • Read All Properties

  • Write All Properties

  • Read Permissions

  • Modify Permissions

  • Modify Owner

  • All Validated Writes

  • All Extended Rights

  • Create All Child Objects

  • Delete All Child Objects

This object only

Allow

Everyone
  • Change Password

This object only

Allow

Pre–Windows 2000 Compatible Access
  • List Contents

  • Read All Properties

  • Read Permissions

User and InetOrgPerson objects

Allow

SYSTEM
  • Full Control

This object only

Allow

SELF
  • Change Password

This object only

Allow

Cert Publisher
  • Read user Cert

  • Write user Cert

This object only

Allow

Windows Authorization Access Group
  • Read tokenGroups GlobalAndUniversal

This object only

Allow

Terminal Server License Servers
  • Read terminalServer*

  • Write terminalServer*

This object only

The terminalServer property, as well as many other properties, is defined in the schema but filtered from display in the ACL editor UI. The list of filtered properties is stored in the file Dssec.dat that is located in the systemroot\System32 folder on all domain controllers. If you need to apply permissions to a property that is not shown in the UI, you can edit the entry in Dssec.dat to display the filtered properties through the UI. For more information about editing this file, see article 296490, “How to Modify the Filtered Properties of an Object (296490)” in the Microsoft Knowledge Base at https://go.microsoft.com/fwlink/?LinkId=4441.

The following table shows the difference in permissions between the default setting in the master security descriptor of the AdminSDHolder object for Windows 2000 and Windows Server 2003 by list permissions that are added in Windows Server 2003.

New Permissions in Windows Server 2003

Type Name Permission Apply To

Allow

Pre–Windows 2000 Compatible Access
  • List Contents

  • Read All Properties

  • Read Permissions

InetOrgPerson objects

Allow

SELF
  • Change Password

This object only

Allow

Cert Publishers
  • Read user Cert

  • Write user Cert

This object only

Allow

Windows Authorization Access Group
  • Read tokenGroups
    GlobalAndUniversal

This object only

Allow

Terminal Server License Servers
  • Read terminalServer*

  • Write terminalServer*

This object only

The following is the DACL (in SDDL) on the ADMINSDHOLDER object in Windows 2000:

(A;;RPLCLORC;;;AU)
(A;;RPWPCRLCLOCCDCRCWDWOSWSD;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSW;;;EA)
(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)

The following is the DACL (in SDDL) on the ADMINSDHOLDER object in Windows Server 2003:

(A;;RPLCLORC;;;AU)
(A;;RPWPCRLCLOCCDCRCWDWOSWSD;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSW;;;EA)
(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)
(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)
(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)

Note

In each case, though there are multiple ACEs granting Read-Property permissions to specific property-sets to the permissions to the Pre-Windows 2000 Compatible Access group, the following ACE grants blanket Read-Property permissions, in effect making the other ACEs unnecessary. However, for compatibility reasons, they should not be removed. The tables in this appendix document the access granted by the one ACE granting blanket read-property access.