SetSecurityDescriptor method of the __SystemSecurity class

The SetSecurityDescriptor method writes an updated version of the security descriptor that controls access to the WMI namespace to which you are connected. The security descriptor is represented by an instance of __SecurityDescriptor. For more information, see Changing Access Security on Securable Objects.


uint32 SetSecurityDescriptor(
  [in] __SecurityDescriptor Descriptor


Descriptor [in]

The security descriptor associated with the WMI Namespace.

Return value

Returns one of the values listed in the following list, or a different value to indicate an error. For more information, see WMI Return Codes or WbemErrorEnum.


Successful completion.


The user does not have access to the requested information.


Unknown failure.


The user does not have adequate privileges to execute the method.


A parameter specified in the method call is not valid.


The Win32_SecurityDescriptor instance represents a SECURITY_DESCRIPTOR_CONTROL data type and contains a discretionary access control list (DACL) and a System Access Control List (SACL). For more information, see Access Control Lists.

If the SeSecurityPrivilege is not granted or enabled when getting a security descriptor, then only the DACL is returned in the returned security descriptor. For more information, see Privilege Constants and Executing Privileged Operations.

You can update both the DACL and the SACL in the Win32_SecurityDescriptor instance when calling this method, but you also can update only the DACL or only the SACL.

The following values in SECURITY_DESCRIPTOR_CONTROL determine whether the DACL or the SACL or both are updated.


    Indicates that the DACL should be updated. If this is not set then WMI preserves the original value of the DACL.


    Indicates that the SACL should be updated. If this is not set then WMI preserves the original value of the SACL. To update the SACL, the account must have the SeSecurityPrivilege privilege enabled. For scripting, the privilege name is SeSecurityPrivilege. For more information, see Privilege Constants.

If the Group trustee and the Owner trustee properties are not NULL, then they are updated. Otherwise, WMI preserves the original values. For more information, see WMI Security Descriptor Objects.

When a new SACL is NULL in a call this method, then the security descriptor SACL on the target securable object is left unchanged.


Minimum supported client
Windows Vista
Minimum supported server
Windows Server 2008
All WMI namespaces

See also


Setting Namepace Security Descriptors