Changes to the behavior of the default discretionary access control list (DACL) for administrators on a Windows XP-based system

This article was previously published under Q318825
This article has been archived. It is offered "as is" and will no longer be updated.
The default behavior of the discretionary access control list (DACL) on a Microsoft Windows XP-based system is different from the behavior of earlier versions of the DACL. This article describes the behavior of the default DACL when a member of the Administrators group creates a securable object on a Microsoft Windows XP-based system.
When you specify NULL as the LPSECURITY_ATTRIBUTES parameter while you create a securable object, the DACL that is associated with the access token of the caller is used to apply access control on the object. Typically, only the CREATOR OWNER and the LocalSystem local user accounts are granted access to an object.

On a Microsoft Windows NT 4.0-based system and on a Microsoft Windows 2000-based system, members of the BUILTIN\Administrators group are granted access to the secured object if the CREATOR OWNER is a member of the Administrators group.

However, on both a Microsoft Windows XP Professional Edition-based system and a Microsoft Windows XP Home Edition-based system, only the user is specifically granted access to the object, even if the CREATOR OWNER is a member of the Administrators group. On a Windows XP-based system, you can use a security option to control this behavior. In Windows XP, the default value for this security option is Object creator.

To view this security option, follow these steps:
  1. Click Start, and then click Control Panel.
  2. In Control Panel, click Performance and Maintenance.
  3. Click Administrative Tools, and then double-click Local Security Policy.
  4. In the left pane of the Local Security Settings console, expand Local Policies, and then click Security Options.
  5. In the right pane of the Local Security Settings console, double-click System objects: Default owner for objects created by members of the Administrators group.

    Notice the default value for this security option.
The policy specifically applies to the CREATOR OWNER account. Therefore, the policy affects the default DACL when the user's access token is created. The CREATOR OWNER policy will change the permissions that are associated with the default DACL.

Access tokens that are created by a later authentication use the new policy. Duplicate access tokens are not created.

Note On a computer that is running Windows Server 2003, the default security option is Administrators instead of Object creator as it is in Windows XP Professional or Windows Home. On a Windows 2003 Domain Controller, this option is under Domain Security instead of under Local Security Policy.

Article ID: 318825 - Last Review: 12/07/2015 09:08:20 - Revision: 3.4

Microsoft Win32 Application Programming Interface

  • kbnosurvey kbarchive kbapi kbinfo kbkernbase kbsecurity KB318825