Changing Access Security on Securable Objects

Printers, services, registry keys, DCOM applications, and WMI namespaces are securable objects. The access to securable objects is protected by security descriptors, which specify the users who have access. Starting with Windows Vista, many securable objects have methods for getting or setting the security descriptor. With appropriate permissions, you can read or change security descriptors on securable objects. Using these methods, you can control which user accounts or groups have access to a printer, service, WMI namespace, or other object. For more information about security descriptors and their use in WMI, see Access to WMI Securable Objects.

The following sections are discussed in this topic:

Objects and Security Descriptor Methods

The following list contains the methods that securable objects have to enable you to read or change the security descriptor:


When a new Security Access Control List (SACL) is not specified in a call to a SetSecurityDescriptor method, then the security descriptor SACL on the target securable object is set to NULL so that the previous SACL setting does not persist.


Converting Between Security Descriptor Formats

Security descriptors are complex binary byte arrays that must normally be created and changed in C++. After you have used one of the Get methods to obtain the security descriptor, the Win32_SecurityDescriptorHelper class supplies methods that convert security descriptors into either Security Descriptor Definition Language (SDDL) or to Win32_SecurityDescriptor instances.

You can manipulate the Access Control Lists (ACL) more easily in Win32_SecurityDescriptor instances or in SDDL. For more information about the structure and use of security descriptors in WMI, see WMI Security Descriptor Objects.

In C++ or C# use conversion functions to convert binary security descriptors to Security Descriptor Definition Language (SDDL). To modify security descriptor values in C++ applications, use ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.

Security Issues

It is recommended that changes to security descriptors be done with great caution so that the security of the object is not compromised. Be aware that the order of access control entries (ACEs) in a discretionary access control list (DACL) can affect access security. For more information, see Order of ACEs in a DACL.

WMI Security Descriptor Objects

Security Descriptor Helper Class

Security Best Practices

Maintaining WMI Security

Access Control

Access to WMI Namespaces