DACL for a New Object
The system uses the following algorithm to build a DACL for most types of new securable objects:
- The object's DACL is the DACL from the security descriptor specified by the object's creator. The system merges any inheritable ACEs into the specified DACL unless the SE_DACL_PROTECTED bit is set in the security descriptor's control bits.
- If the creator does not specify a security descriptor, the system builds the object's DACL from inheritable ACEs.
- If no security descriptor is specified and there are no inheritable ACEs, the object's DACL is the default DACL from the primary or impersonation token of the creator.
- If there is no specified, inherited, or default DACL, the system creates the object with no DACL, which allows everyone full access to the object.
The system uses a different algorithm to build a DACL for a new Active Directory object. For more information, see How Security Descriptors are Set on New Directory Objects.