The Default Security Descriptor in AD

Controlling an object's default security

When you create a new object (e.g., a user, a group) in Active Directory (AD), the object automatically receives a set of default access control permissions. Where in AD are these default permissions defined? Can I retrieve them and modify them?

Microsoft has defined a default security descriptor for every AD object class (e.g., user, group). When you create an AD object instance of a particular object class, this default security descriptor establishes the default permissions for that object. The default security descriptor is defined in the AD schema.

You can set the default security descriptor by viewing the AD object class properties. The easiest way to access this information is to use the Microsoft Management Console (MMC) Active Directory Schema snap-in. Before you can use this snap-in, you must register the schmmgmt.dll file by going to the command line and typing

regsvr32 schmmgmt.dll

After you register the file, open the Active Directory Schema snap-in, locate the object class of interest (e.g., the user object) in the classes container, then right-click the object and select Properties from the context menu to open the user Properties dialog box. You can change the default security descriptor on the Security tab, as Figure 1 shows.

You can also use other tools to retrieve the contents of an object class's default security descriptor. For example, you can use the Ldp.exe command-line utility, which is in the \support\tools folder on the Windows 2000 Server CD-ROM, or the MMC ADSI Edit snap-in. In either case, look for the defaultSecurityDescriptor attribute of the CN=User,CN=Schema,CN=Configuration,DC=<domainname>,DC=<domainextension> AD object. With both tools, you’ll have to decipher the defaultSecurityDescriptor attribute's content. Ldp.exe displays the attribute's content in a Security Descriptor Definition Language (SDDL) format. SDDL is the native format that AD uses to store security descriptor information.

To use Ldp.exe to retrieve the default security descriptor for the user object, go to the command line and type


then complete the following steps to retrieve the defaultSecurityDescriptor attribute:

  1. Open the Connection menu, select Connect, then enter the name of the AD server in the Connect dialog box.
  2. Open the Connection menu, select Bind, then enter a set of valid credentials in the Bind dialog box.
  3. Open the View menu, select Tree, then enter the following base distinguished name (DN) to retrieve the defaultSecurityDescriptor attribute:
  4. cn=user,cn=schema,cn=configuration, DC=<domainname>,DC=<domainextension>
  5. Locate the content of the defaultSecurityDescriptor attribute in the right pane, as Figure 2 shows.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.