DACL for a New Object

The system uses the following algorithm to build a DACL for most types of new securable objects:

  1. The object's DACL is the DACL from the security descriptor specified by the object's creator. The system merges any inheritable ACEs into the specified DACL unless the SE_DACL_PROTECTED bit is set in the security descriptor's control bits.
  2. If the creator does not specify a security descriptor, the system builds the object's DACL from inheritable ACEs.
  3. If no security descriptor is specified and there are no inheritable ACEs, the object's DACL is the default DACL from the primary or impersonation token of the creator.
  4. If there is no specified, inherited, or default DACL, the system creates the object with no DACL, which allows everyone full access to the object.

The system uses a different algorithm to build a DACL for a new Active Directory object. For more information, see How Security Descriptors are Set on New Directory Objects.