Default Security Descriptor

With Active Directory Domain Services, you can also specify default security for each type of object. This is specified in the defaultSecurityDescriptor attribute in the classSchema object definition in the Active Directory schema. This security descriptor is used to provide default protection on the object if there is no security descriptor specified during the creation of the object.


ACEs from a default security descriptor are handled as if they were specified as part of object creation. Therefore, the default ACEs are placed preceding inherited ACEs and override them as appropriate. For more information, see Order of ACEs in a DACL.


The defaultSecurityDescriptor is specified in a special string format using the Security Descriptor Definition Language (SDDL). Two functions can be used to convert binary form of the security descriptor to string format and vice versa. These functions are:

For more information and the default security descriptors of the predefined object classes, see the class reference pages in the Active Directory Schema Reference of the Active Directory Domain Services Reference.

For more information and a code example that reads or modifies the defaultSecurityDescriptor property of an object class, see Reading the defaultSecurityDescriptor for an Object Class and Modifying the defaultSecurityDescriptor for an Object Class.