Security Descriptors

A security descriptor contains the security information associated with a securable object. A security descriptor consists of a SECURITY_DESCRIPTOR structure and its associated security information. A security descriptor can include the following security information:

• Security identifiers (SIDs) for the owner and primary group of an object.
• A DACL that specifies the types of object access that the system grants to particular users or groups.
• A SACL that specifies the types of access attempts that generate audit records for the object.
• A set of control bits that qualify the meaning of a security descriptor or its individual members.

Applications must not directly manipulate the contents of a security descriptor. The Win32 API provides functions for setting and retrieving the security information in an object's security descriptor. In addition, there are functions for creating and initializing a security descriptor for a new object.

This overview describes the Win32 security functions for working with security descriptors for applications running on Windows NT versions 5.0 and later. For applications that must be compatible with versions of Windows NT earlier than 5.0, see Windows NT 4.0 Access Control and Low-Level Access Control.