3.1.1.6.3 Security Descriptor Propagator Update

References

• LDAP attributes: nTSecurityDescriptor

• Glossary terms: ACE, naming context (NC), security descriptor (SD)

In Active Directory, SDs can contain ACEs that are inheritable. Thus, modifying the SD on an object can imply a change in the SDs of descendant objects (either by adding or by removing such an inheritable ACE). In order to propagate the changes of inheritable ACEs to descendant objects, each DC runs a background task called the Security Descriptor Propagator Update task. By default, this task is triggered by the following conditions:

• Any modification (originating or replicated) of the nTSecurityDescriptor attribute of any object, except for those modifications done by the Security Descriptor Propagator Update task. Such an object is said to have caused a propagation event.

• Any modification of the DN of an object that results in the object having a different parent, except for those cases where the new parent is a Deleted Objects container. Such an object is said to have caused a propagation event.

The Security Descriptor Propagator Update task performs the following processing.

For each object P that has caused a propagation event, the server does the following:

• Initialize a set S with the single element P.

• While the set S is not empty, do the following:

  • Let T be an element of set S.

  • Enforce all SD requirements from section 6.1.3 on the SD of the object T. This might require that a new SD be written to the nTSecurityDescriptor attribute of object T. If this is the case, such a modification is not replicated to any other instances of Active Directory. Note that this modification of nTSecurityDescriptor is not a new propagation event; it is considered to be part of the original event that was triggered by the modification of the nTSecurityDescriptor attribute of object P.

  • If T is not a Deleted Objects container, as described in section 6.1.1.4.2, let U be the set of all children of T that are in the same naming context as T. Add all elements of U to the set S. The set U is said to contain qualifying children of object T. All objects that are ever elements of set S are said to be qualifying descendants of object P.

  • Remove T from set S.

The replication metadata values (see AttributeStamp and LinkValueStamp in section 3.1.1.1.9) MUST NOT be modified for any attributes that are updated during the processing shown in the preceding list.

There is no constraint on the number of transactions that the Security Descriptor Propagator Update task uses during processing. Therefore, there is no requirement that at any given time all of the objects that are qualifying descendants of an object whose SD has an inheritable ACE actually have the inheritable ACE. It is possible that there is a period of time during which an object that SHOULD contain an inheritable ACE from one of its ancestors will not have that inheritable ACE, pending completion of the Security Descriptor Propagator Update task. Likewise, it is possible there is a period of time during which an inheritable ACE that was removed from one of the object's ancestors is still present on the object. Although the protocol places no boundary or requirements on the length of this period of time, it is recommended that implementations minimize the length of this period of time to improve usability of the directory for clients.

The server MUST guarantee that all inheritable ACEs are eventually propagated to all qualifying descendants of an object that causes a propagation event.