typedef WORD SECURITY_DESCRIPTOR_CONTROL;
The SECURITY_DESCRIPTOR_CONTROL data structure contains a set of bit flags that qualify the meaning of a security descriptor or of individual fields within a security descriptor.
Each SECURITY_DESCRIPTOR has an associated SECURITY_DESCRIPTOR_CONTROL. Since SECURITY_DESCRIPTORs must be treated as opaque data structures, precluding any direct manipulation of their fields, there are functions for setting and retrieving a security descriptor's SECURITY_DESCRIPTOR_CONTROL value.
The following constants are defined for setting and retrieving SECURITY_DESCRIPTOR_CONTROL bit flags:
| Value | Meaning |
| SE_OWNER_DEFAULTED | This Boolean bit flag, when set, indicates that a default mechanism, rather than the original provider of the security descriptor, provided the security descriptor's Owner SID. This may affect the treatment of the SID with respect to inheritance of an owner. This flag is ignored if the Owner field is null. |
| SE_GROUP_DEFAULTED | This Boolean bit flag, when set, indicates that a default mechanism, rather than the the original provider of the security descriptor, provided the security descriptor's Group SID. This may affect the treatment of the SID with respect to inheritance of a primary group. This flag is ignored if the Group field is null. |
| SE_DACL_PRESENT | This Boolean bit flag, when set, indicates that the security descriptor contains a discretionary access control list (ACL) pointed to by its Dacl field. If this flag is set and the Dacl field is null, then a null ACL is being explicitly specified. This bit flag allows functions to determine whether a security descriptor points to a null ACL or no ACL at all. |
| SE_DACL_DEFAULTED | This Boolean bit flag, when set, indicates that a default mechanism, rather than the the original provider of the security descriptor, provided the access control list (ACL) pointed to by the security descriptor's Dacl. This may affect the treatment of the ACL with respect to inheritance of an ACL. This flag is ignored if SE_DACL_PRESENT is not set. |
| SE_SACL_PRESENT | This Boolean bit flag, when set, indicates that the security descriptor contains a system access control list (ACL) pointed to by its Sacl field. If this flag is set and the Sacl field is null, then an empty (but present) ACL is being specified. This bit flag allows functions to determine whether Sacl points to a null ACL or no ACL at all. |
| SE_SACL_DEFAULTED | This Boolean bit flag, when set, indicates that a default mechanism, rather than the the original provider of the security descriptor, provided the security access control list (ACL) pointed to by the security descriptor's Sacl field. This may affect the treatment of the ACL with respect to inheritance of an ACL. This flag is ignored if SE_SACL_PRESENT is not set. |
| SE_SELF_RELATIVE | This Boolean bit flag, when set, indicates that the security descriptor is in self-relative form. In this form, all fields of the security descriptor are contiguous in memory, and all pointer fields are expressed as offsets from the beginning of the security descriptor. This form is useful for treating security descriptors as opaque data structures for transmission in communication protocol or for storage on secondary media. |