SACLs for Newly Created Objects
The operating system uses the following rules to set the SACL in the security descriptors for new securable objects:
If the creating process provides an explicit SACL, the operating system places it in the object's security descriptor. The operating system merges any inheritable ACEs into the SACL unless SE_SACL_PROTECTED is set in the security descriptor control flags. It then sets the SE_SACL_PRESENT security descriptor control flag.
If the creating process does not provide an explicit SACL, the operating system builds the object's SACL from inheritable ACEs in the parent object's SACL. It then sets the SE_SACL_PRESENT security descriptor control flag.
If the parent object has no inheritable ACEs, the operating system asks the object manager to provide a default SACL. It then sets the SE_SACL_PRESENT and SE_SACL_DEFAULTED security descriptor control flags.
If the object manager does not provide a default SACL, the new object is assigned no SACL.