Each token also identifies a primary group for the user. This group does not necessarily have to be one the user is a member of (although it is by default) and it does not determine the objects a user has access to (that is, it isn't used in access validation decisions). However, by default it is assigned as the primary group of any objects the user creates. For the most part, the primary group is required simply for POSIX compatibility, but the primary group does play a role in object creation.
When a new object is created, the security system has the task of assigning protection to the new object. The system follows this process:
- Assign the new object any protection explicitly passed in by the object creator.
- Otherwise, assign the new object any inheritable protection from the container the object is created in.
- Otherwise, assign the new object any protection explicitly passed in by the object creator, but marked as "default."
- Otherwise, if the caller's token has a default DACL, that will be assigned to the new object.
- Otherwise, no protection is assigned to the new object.
By default, users logging on to Windows NT are given a primary group of "Domain Users" (when logging on to a Windows NT Server) or the group called "None" (when logging onto a Windows NT Workstation system). Therefore, when you create an object in a container that has an inheritable ACE with the CREATOR_GROUP SID, you will likely end up with an ACE granting Domain Users some access. This may not be what you intended.
Artikelnummer: 126629 – Letzte Überarbeitung: 21.11.2006 – Revision: 1