Article ID: 318825 - View products that this article applies to.
This article was previously published under Q318825
The default behavior of the discretionary access control list (DACL) on a Microsoft Windows XP-based system is different from the behavior of earlier versions of the DACL. This article describes the behavior of the default DACL when a member of the Administrators group creates a securable object on a Microsoft Windows XP-based system.
When you specify NULL as the LPSECURITY_ATTRIBUTES parameter while you create a securable object, the DACL that is associated with the access token of the caller is used to apply access control on the object. Typically, only the CREATOR OWNER and the LocalSystem local user accounts are granted access to an object.
On a Microsoft Windows NT 4.0-based system and on a Microsoft Windows 2000-based system, members of the BUILTIN\Administrators group are granted access to the secured object if the CREATOR OWNER is a member of the Administrators group.
However, on both a Microsoft Windows XP Professional Edition-based system and a Microsoft Windows XP Home Edition-based system, only the user is specifically granted access to the object, even if the CREATOR OWNER is a member of the Administrators group. On a Windows XP-based system, you can use a security option to control this behavior. In Windows XP, the default value for this security option is Object creator.
To view this security option, follow these steps:
Access tokens that are created by a later authentication use the new policy. Duplicate access tokens are not created.
Note On a computer that is running Windows Server 2003, the default security option is Administrators instead of Object creator as it is in Windows XP Professional or Windows Home. On a Windows 2003 Domain Controller, this option is under Domain Security instead of under Local Security Policy.
Article ID: 318825 - Last Review: November 16, 2007 - Revision: 3.4