3.1.6.1.3.4 nTSecurityDescriptor

If iAttributeList (either supplied or constructed) includes the ADM attribute name Security, the value of the iDirectoryObject.Security ADM attribute MUST be modified before it is written to the directory. If iAttributeList does not include the ADM attribute name Security, a default value MUST be computed and written. The algorithm for doing both is as follows:

  1. Let FinalSecurity and SuppliedSecurity be SECURITY_DESCRIPTOR structures, as specified in [MS-DTYP] section 2.4.6, initialized to be empty.

  2. If iAttributeList includes the ADM attribute name Security, the value of iDirectoryObject.Security MUST be copied to the SuppliedSecurity structure.

  3. Let OwnerSid be a SID ([MS-DTYP] section 2.4.2) structure initialized to zero.

  4. If the SuppliedSecurity structure is not empty:

    1. OwnerSid MUST be set to the owner SID from the SuppliedSecurity structure.

    2. If the Dacl field is populated in the SuppliedSecurity structure, the value MUST be copied to the FinalSecurity structure.

    3. If the Sacl field is populated in the SuppliedSecurity structure, the value MUST be copied to the FinalSecurity structure.

  5. If OwnerSid is zero, it MUST be set to the SID of the user under whose identity the current thread is running.

  6. If the user referenced by the SID in the OwnerSid structure is not a domain user, the OwnerSid structure MUST be set to the well-known SID with string representation S-1-5-7 (relative identifier SECURITY_ANONYMOUS_LOGON_RID combined with identifier authority SECURITY_NT_AUTHORITY).

  7. If the Dacl field was not copied to the FinalSecurity structure in step 4:

    1. Let WorldAccess and OwnerAccess be MQSITEACCESSMASK ([MS-MQMQ] section 2.2.23) enumerated values, initialized to zero.

    2. If OwnerSid is a guest SID (equal to the SID designated by DOMAIN_USER_RID_GUEST, as specified in [MS-SAMR] section 2.2.1.14) or the user referenced by the SID in OwnerSid is not a domain user, WorldAccess MUST be set to MQSEC_SITE_GENERIC_ALL. Otherwise, WorldAccess MUST be set to MQSEC_SITE_GENERIC_READ, and OwnerAccess MUST be set to MQSEC_SITE_GENERIC_ALL.

    3. An ACCESS_ALLOWED_ACE ([MS-DTYP] section 2.4.4.2) structure with a Mask field set to WorldAccess and containing the well-known SID with string representation S-1-1-0 (relative identifier SECURITY_WORLD_RID combined with identifier authority SECURITY_WORLD_SID_AUTHORITY) MUST be added to the Dacl field in the FinalSecurity structure.

    4. If OwnerAccess is nonzero, an ACCESS_ALLOWED_ACE structure with a Mask field set to OwnerAccess and containing the SID in OwnerSid MUST be added to the Dacl field in the FinalSecurity structure.

  8. The SECURITY_DESCRIPTOR structure in FinalSecurity MUST be converted to self-relative format (see [MS-DTYP] section 2.4.6).

  9. The value of the nTSecurityDescriptor attribute MUST be the value of the FinalSecurity structure.