Security Descriptors

A security descriptor contains the security information associated with a securable object. A security descriptor consists of a SECURITY_DESCRIPTOR structure and its associated security information. A security descriptor can include the following security information:

• Security identifiers (SIDs) for the owner and primary group of an object.
• A DACL that specifies the access rights allowed or denied to particular users or groups.
• A SACL that specifies the types of access attempts that generate audit records for the object.
• A set of control bits that qualify the meaning of a security descriptor or its individual members.

Applications must not directly manipulate the contents of a security descriptor. The Win32 API provides functions for setting and retrieving the security information in an object's security descriptor. In addition, there are functions for creating and initializing a security descriptor for a new object.

This overview describes the Win32 security functions for working with security descriptors for applications running on Windows NT version 4.0 and later. For applications that must be compatible with earlier versions of Windows NT, see Low-Level Access Control.

Applications working with security descriptors on Active Directory objects can use the Win32 security functions or the security interfaces provided by the Active Directory Services Interfaces (ADSI). For more information about ADSI security interfaces, see Controlling Access to Active Directory Objects.