Active Directory Security Descriptors
The Microsoft Windows family of operating systems provides the ability to secure a variety of system objects such as files, directories, registry keys, mutexes etc. (commonly referred to as securable objects.) On the same note, Windows also provides the ability to protect objects in Active Directory, and these objects are protected by security descriptors.
Security Descriptor Components
A security descriptor is a data-structure that serves to protect these securable objects. It is used to specify pertinent security information such as who has what access to this object.
In particular, a security descriptor is comprised of four components –
An Owner field
A Group field
A Discretionary Access Control List (DACL) field
A System Access Control List (SACL) field
The Owner and the Group fields of a security descriptor specify the Security Identifier (SID) of the owner of the object and the primary group of the object. The owner of an object has implicit Modify Permissions on the object, and can thus control who is granted what access on the object.
An object's DACL is a set of zero or more access control entries (ACEs) that together specify who has what access on this object. In particular, each ACE allows or denies one or more security permissions (e.g. Read Property, Write Property, Create Child, etc.) to a user or a group of users on the object.
The SACL is a set of ACEs that together specify which operations on this object should be audited. In particular, each ACE specifies the types of access attempts by a specified user or a group of users that cause the system to generate a record in the security event log. For example, an administrator can specify that all successful modifications to a specific attribute should result in the generation of an event in the Directory Services audit log, which is a part of the security log generated on Domain Controllers.
Thus the owner field specifies the object's owner, the DACL field specifies who has what access on the object, and the SACL field specifies what types of access attempts on the object should cause a record to be generated in the system's audit log.
In this manner, Active Directory security descriptors protect Active Directory objects.