6.1.3.6 SD Defaulting Rules

  • Article

When an add operation is performed and the client does not supply an SD value, then the SD value is defaulted as follows:

  1. The SD is determined from the defaultSecurityDescriptor value obtained from the classSchema object corresponding to the most specific structural objectClass of the object being created. The value of defaultSecurityDescriptor is an SDDL string. The string is converted to the binary SD value in the context of domain SID (used to resolve domain SID references, such as Domain Administrators alias) and root domain SID (used to resolve forest SID references, such as Enterprise Administrators alias). See [MS-DTYP] section 2.5.1 for more details.

  2. When the object is created in an application NC, then the value or sdReferenceDomain from the crossRef corresponding to the NC is used to determine the domain SID used as context in the SDDL conversion process.