Defining an AD Object's Default Security Descriptor

Q: When I create a new user object in Active Directory (AD), it's automatically assigned a default set of permissions known as the default security descriptor. How can I retrieve the default security descriptor of a particular object class? How can I change it? Are there any changes in how to do this in Windows Server 2003 compared with Windows 2000?

A: For every AD object class (e.g., user, group), Microsoft has defined a default security descriptor that describes the default permissions that are set when an AD object instance of a particular object class is created. Windows 2003 includes some important changes related to the management of the default security descriptor for AD objects. Windows 2003 includes changes to the way you define the content of this security descriptor and the way that you can apply and re-apply to it a particular object instance.

You can set the default security descriptor from the properties of an AD object class. The easiest way to do this is by using the Microsoft Management Console (MMC) Active Directory Schema snap-in. Before you can use this snap-in, you must register the schmmgmt.dll. To do so type the following at a command line:


Regsvr32 schmmgmt.dll

For example, to set the default security descriptor for the user object class, open the Active Directory Schema snap-in, locate the user object in the classes container, then open the class properties: To change the default security descriptor, go to the default security tab, as Figure 1 shows. In Win2K, this tab was simply named Security, which was a bit confusing.

You can also use other tools to retrieve the content of the default security descriptor attribute of an AD object class. For example, you can use ldp.exe, ldifde.exe, or the MMC Adsiedit snap-in. In that case, look for the defaultSecurityDescriptor attribute of the AD object class. When using these tools, you must decipher the content of the attribute. The three tools display the content of the attribute in a Security Descriptor Definition Language (SDDL) format.

SDDL is the native format Windows uses to store security descriptor information in AD. The SDDL syntax is explained in greater detail at the following MSDN URL: An SDDL string can contain four tokens to indicate each of the four main components of a security descriptor: owner (O:), primary group (G:), DACL (D:), and SACL (S:). Here's an example of an SDDL string and its meaning.


O:BA G:SY D: (D;;0xf0007;;;BG) (A;;0x3;;;SU)

O:BA Object owner is the built-in administrator (BA); G:SY Primary group is the system (SY); D: Start of the DACL portion; (D;;0xf0007;;;BG) Deny built-in guests (BG) all access; (A;;0x3;;;SU) Allow service accounts read and write permission.

To retrieve all default security descriptors stored in the AD schema, you could also use the following Ldifde command:


Ldifde - f ADdefaults.txt -d cn=schema,cn=configuration,dc= -r (objectCategory=classSchema) -l defaultsecuritydescriptor

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.