Share via


Win32_SecurityDescriptor class

The Win32_SecurityDescriptor abstract WMI class represents a SECURITY_DESCRIPTOR structure. A security descriptor contains the security information for a securable object. The Owner and Group properties identify the owner and primary group for the object. It can also contain a discretionary access control list (DACL) that controls access to the object and a system access control list (SACL) that controls the logging of attempts to access the object.

The following syntax is simplified from Managed Object Format (MOF) code, and includes all of the inherited properties.

Syntax

[abstract, UUID("{8502C58B-5FBB-11D2-AAC1-006008C78BC7}"), AMENDMENT]
class Win32_SecurityDescriptor : __SecurityDescriptor
{
  uint64        TIME_CREATED;
  uint32        ControlFlags;
  Win32_ACE     DACL[];
  Win32_Trustee Group;
  Win32_Trustee Owner;
  Win32_ACE     SACL[];
};

Members

The Win32_SecurityDescriptor class has these types of members:

Properties

The Win32_SecurityDescriptor class has these properties.

ControlFlags

Data type: uint32

Access type: Read-only

Qualifiers: Override (ControlFlags), WritePrivileges ("SeSecurityPrivilege", "SeRestorePrivilege")

Control bits that qualify the meaning of a security descriptor (SD) or its individual members. See the Remarks section of this topic for information about setting the ControlFlags value. The following list lists the flags in ControlFlags. For more information, see SECURITY_DESCRIPTOR_CONTROL.

SE_OWNER_DEFAULTED (1 (0x1))

Indicates an SD with a default owner security identifier (SID). Use this bit to find all of the objects that have default owner permissions set.

SE_GROUP_DEFAULTED (2 (0x2))

Indicates an SD with a default group SID. Use this bit to find all of the objects that have default group permissions set.

SE_DACL_PRESENT (4 (0x4))

Indicates an SD that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the SD allows full access to everyone.

SE_DACL_DEFAULTED (8 (0x8))

Indicates an SD with a default DACL. For example, if an object creator does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL, with respect to access control entry (ACE) inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.

SE_SACL_PRESENT (16 (0x10))

Indicates an SD that has a system access control list (SACL).

SE_SACL_DEFAULTED (32 (0x20))

Indicates an SD with a default SACL. For example, if an object creator does not specify an SACL, the object receives the default SACL from the access token of the creator. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set.

SE_DACL_AUTO_INHERIT_REQ (256 (0x100))

Requests that the provider for the object protected by the SD automatically propagate the DACL to existing child objects. If the provider supports automatic inheritance, the DACL is propagated to any existing child objects, and the SE_DACL_AUTO_INHERITED bit in the SD of the parent and child objects is set.

SE_SACL_AUTO_INHERIT_REQ (512 (0x200))

Requests that the provider for the object protected by the SD automatically propagate the SACL to existing child objects. If the provider supports automatic inheritance, the SACL is propagated to any existing child objects, and the SE_SACL_AUTO_INHERITED bit in the SDs of the parent object and child objects is set.

SE_DACL_AUTO_INHERITED (1024 (0x400))

Indicates an SD in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects.

SE_SACL_AUTO_INHERITED (2048 (0x800))

Indicates an SD in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects.

SE_DACL_PROTECTED (4096 (0x1000))

Prevents the DACL of an SD from being modified by inheritable ACEs.

SE_SACL_PROTECTED (8192 (0x2000))

Prevents the SACL of an SD from being modified by inheritable ACEs.

SE_SELF_RELATIVE (32768 (0x8000))

Indicates an SD in self-relative format with all the security information in a contiguous block of memory. If this flag is not set, the SD is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors.

DACL

Data type: Win32_ACE array

Access type: Read/write

Qualifiers: Override (DACL), WritePrivileges ("SeSecurityPrivilege", "SeRestorePrivilege")

Each array entry defines the type of object access that the system grants to a specific user or group. For more information about security for access control lists (ACL), see Access Control Lists and Creating a DACL.

Group

Data type: Win32_Trustee

Access type: Read/write

Qualifiers: Override (Group), WritePrivileges ("SeSecurityPrivilege", "SeRestorePrivilege")

Group that owns this object.

Owner

Data type: Win32_Trustee

Access type: Read/write

Qualifiers: Override (Owner), WritePrivileges ("SeSecurityPrivilege", "SeRestorePrivilege")

Owner of an object.

SACL

Data type: Win32_ACE array

Access type: Read/write

Qualifiers: Override (SACL), WritePrivileges ("SeSecurityPrivilege", "SeRestorePrivilege")

Each array entry defines the type of access attempts that generate audit records for a specific user or group.

TIME_CREATED

Data type: uint64

Access type: Read-only

Time in the CIM_DATETIME format when the security descriptor was created.

This property is inherited from __SecurityDescriptor.

Remarks

The Win32_SecurityDescriptor class is derived from Win32_MethodParameterClass.

The values in ControlFlags affect the elements of the descriptor that WMI writes to a new SD in methods such as Win32_SecuritySetting.SetSecurityDescriptor. Some of the flags, such as SE_GROUP_DEFAULTED or SE_SACL_DEFAULTED indicate that a part of the SD is a default value. For example, Active Directory may have default SDs for all types of objects. When a new object is created, the default owner, group, DACL, and SACL are applied. If a system-wide change must be made to the defaults, the system administrator can find all of the objects with defaults by locating the objects that have the default flags set.

If the SE_DACL_PRESENT bit is specified and a DACL entry is also present in the call to SetSecurityDescriptor, then an empty DACL is written to the new security descriptor. To provide better security, WMI does not write a NULL DACL when SE_DACL_PRESENT is set but a parameter is not supplied, because a NULL DACL gives everyone full access to the object. For more information, see Creating a DACL.

The ControlFlags property contains individual bit positions, which indicate that specific flags are set. You can combine these flags by adding the associated values. For example, to specify both SE_DACL_PRESENT and SE_DACL_AUTO_INHERITED you add the associated values 4 and 1024 to make the value of the ControlFlags property 1028.

Requirements

Minimum supported client
Windows Vista
Minimum supported server
Windows Server 2008
Namespace
Root\CIMV2
MOF
Secrcw32.mof
DLL
CIMWin32.dll

See also

__SecurityDescriptor

Operating System Classes

WMI Security Descriptor Objects

Maintaining WMI Security

Changing Access Security on Securable Objects