SACL for a New Object

The system uses the following algorithm to build a SACL for most types of new securable objects:

1. The object's SACL is the SACL from the security descriptor specified by the object's creator. The system merges any inheritable ACEs into the specified SACL unless the SE_SACL_PROTECTED bit is set in the security descriptor's control bits.
2. If the creator does not specify a security descriptor, the system builds the object's SACL from inheritable ACEs.
3. If there is no specified or inherited SACL, the object has no SACL.

To specify a SACL for a new object, the object's creator must have the SE_SECURITY_NAME privilege enabled. The creator does not need this privilege if the object's SACL is built from inherited ACEs.

The system uses a different algorithm to build a SACL for a new Active Directory object. For more information, see How Security Descriptors are Set on New Directory Objects.