Skip navigation
Menu
End-User Platforms>Windows 7/8

The Default Security Descriptor in AD

Controlling an object's default security

When you create a new object (e.g., a user, a group) in Active Directory (AD), the object automatically receives a set of default access control permissions. Where in AD are these default permissions defined? Can I retrieve them and modify them?

Microsoft has defined a default security descriptor for every AD object class (e.g., user, group). When you create an AD object instance of a particular object class, this default security descriptor establishes the default permissions for that object. The default security descriptor is defined in the AD schema.

You can set the default security descriptor by viewing the AD object class properties. The easiest way to access this information is to use the Microsoft Management Console (MMC) Active Directory Schema snap-in. Before you can use this snap-in, you must register the schmmgmt.dll file by going to the command line and typing 

regsvr32 schmmgmt.dll

After you register the file, open the Active Directory Schema snap-in, locate the object class of interest (e.g., the user object) in the classes container, then right-click the object and select Properties from the context menu to open the user Properties dialog box. You can change the default security descriptor on the Security tab, as Figure 1 shows.

You can also use other tools to retrieve the contents of an object class's default security descriptor. For example, you can use the Ldp.exe command-line utility, which is in the \support\tools folder on the Windows 2000 Server CD-ROM, or the MMC ADSI Edit snap-in. In either case, look for the defaultSecurityDescriptor attribute of the CN=User,CN=Schema,CN=Configuration,DC=<domainname>,DC=<domainextension> AD object. With both tools, you’ll have to decipher the defaultSecurityDescriptor attribute's content. Ldp.exe displays the attribute's content in a Security Descriptor Definition Language (SDDL) format. SDDL is the native format that AD uses to store security descriptor information.

To use Ldp.exe to retrieve the default security descriptor for the user object, go to the command line and type 

ldp

then complete the following steps to retrieve the defaultSecurityDescriptor attribute:

  1. Open the Connection menu, select Connect, then enter the name of the AD server in the Connect dialog box.
  2. Open the Connection menu, select Bind, then enter a set of valid credentials in the Bind dialog box.
  3. Open the View menu, select Tree, then enter the following base distinguished name (DN) to retrieve the defaultSecurityDescriptor attribute:
    4. cn=user,cn=schema,cn=configuration, DC=<domainname>,DC=<domainextension>
  4. Locate the content of the defaultSecurityDescriptor attribute in the right pane, as Figure 2 shows.
TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
PowerShell screenshot shows Where-Object cmdlet
How to Use the PowerShell Where-Object Cmdlet
Aug 04, 2022
shield_icon_laptop.jpg
What To Do When Windows Defender Is Not Working
Mar 15, 2022
Computer Screen Showing Password Dialog Box
Microsoft Edge Downloads Updated for Azure AD Sign-In & Sync
Aug 22, 2019
mktg-wp-nolabel5
How to Approach the Windows 7 to 10 Migration
Aug 01, 2019