126.96.36.199 Security Considerations
When an add operation is processed, the client is allowed to specify any SD value, subject to some constraints to the OWNER field, specified in this section.
When a modify operation is processed, the following security checks are applied to the requester's security context. If the requester does not pass the check, then accessDenied is returned.
If the OWNER and/or GROUP value is written (according to SD flags), then one of the following requirements must be satisfied:
If the SACL value is written (according to SD flags), then the following requirement must be satisfied:
The requester possesses the SE_SECURITY_PRIVILEGE.
If the object being modified is in the config NC or schema NC, and the RM control of the SD is present and contains SECURITY_PRIVATE_OBJECT bit, then additional requirements on the DC performing the operation must be enforced:
When the OWNER value is being written (via SD flags control, either in an add or a modify operation), then the following constraint must be satisfied. The value of the OWNER field must be one of the following SIDs:
The SID of the user performing the operation.
The SID of the "default administrators group" (DAG; section 188.8.131.52), only when the DAG is defined and the user is a member of this group.
Any SID, when the user possesses the SE_RESTORE_PRIVILEGE.
If the owner SID does not satisfy the preceding rules, then the server fails the operation, returning an unwillingToPerform / ERROR_INVALID_OWNER error.
If the owner SID is written on an object in the config NC or schema NC, then additional requirements on the DC performing the operation are enforced:
The DC must be a member of the root domain in the forest, or
The DC must be a member of the same domain to which the current object owner belongs.