The SECURITY_DESCRIPTOR_CONTROL type is a set of bit flags that qualify the meaning of a security descriptor or its components. Each security descriptor has a Control member that stores the SECURITY_DESCRIPTOR_CONTROL bits.
typedef WORD SECURITY_DESCRIPTOR_CONTROL;
To get the control bits of a security descriptor, call the GetSecurityDescriptorControl function. To set the control bits of a security descriptor, use the Win32 functions for modifying security descriptors. These functions are listed in the See Also section.
For Windows NT versions 5.0 and later, applications can use the SetSecurityDescriptorControl function to set the control bits that relate to automatic inheritance of ACEs.
The control value retrieved by the GetSecurityDescriptorControl function can include a combination of the following SECURITY_DESCRIPTOR_CONTROL bit flags:
| Value | Meaning |
|---|---|
| SE_DACL_AUTO_INHERITED | Windows NT 5.0 and later: Indicates a security descriptor in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. Protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag. This bit is not set in security descriptors for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs. |
| SE_DACL_DEFAULTED | Indicates a security descriptor with a default DACL. For example, if an object's creator does not specify a DACL, the object receives the default DACL from the creator's access token. This flag can affect how the system treats the DACL, with respect to ACE inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set. To set this flag, use the SetSecurityDescriptorDacl function. |
| SE_DACL_PRESENT | Indicates a security descriptor that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the security descriptor allows full access to everyone. To set this flag, use SetSecurityDescriptorDacl. |
| SE_DACL_PROTECTED | Windows NT 5.0 and later: Prevents the DACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the SetSecurityDescriptorControl function. |
| SE_GROUP_DEFAULTED | A default mechanism, rather than the the original provider of the security descriptor, provided the security descriptor's group SID. To set this flag, use the SetSecurityDescriptorGroup function. |
| SE_OWNER_DEFAULTED | A default mechanism, rather than the the original provider of the security descriptor, provided the security descriptor's owner security identifier (SID). To set this flag, use the SetSecurityDescriptorOwner function. |
| SE_SACL_AUTO_INHERITED | Windows NT 5.0 and later: Indicates a security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. Protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag. This bit is not set in security descriptors for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs. |
| SE_SACL_DEFAULTED | A default mechanism, rather than the the original provider of the security descriptor, provided the SACL. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set. To set this flag, use the SetSecurityDescriptorSacl function. |
| SE_SACL_PRESENT | Indicates a security descriptor that has a SACL. To set this flag, use the SetSecurityDescriptorSacl function. |
| SE_SACL_PROTECTED | Windows NT 5.0 and later: Prevents the SACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the SetSecurityDescriptorControl function. |
| SE_SELF_RELATIVE | Indicates a security descriptor in self-relative format with all the security information in a contiguous block of memory. If this flag is not set, the security descriptor is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors. |
Windows NT: Requires version 3.1 or later.
Windows: Unsupported.
Windows CE: Unsupported.
Header: Declared in winnt.h.
Low-Level Access-Control Overview, Low-Level Access Control Structures, ConvertToAutoInheritPrivateObjectSecurity, GetSecurityDescriptorControl, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorOwner, GetSecurityDescriptorSacl, SetSecurityDescriptorControl, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorSacl