2.5 ntSecurityDescriptor Attribute

The ntSecurityDescriptor attribute ([MS-ADA3] section 2.37) is a security descriptor as specified in [MS-DTYP] section 2.4.6.<7> The discretionary access control list (DACL) field of the security descriptor is an access control list (ACL) (as specified in [MS-DTYP] section 2.4.5) that specifies the permission set for this certificate template. Each access control entry (ACE) ([MS-DTYP] section 2.4.4) in the ACL specifies access rights.

The data structure in this attribute supports all types of ACE. However, the Windows Client Certificate Enrollment Protocol uses only two predefined permissions: Enroll and AutoEnroll. The AutoEnroll permission instructs the Windows autoenrollment client to enroll for that template automatically.