Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Changes to the behavior of the default discretionary access control list (DACL) for administrators on a Windows XP-based system

View products that this article applies to.


The default behavior of the discretionary access control list (DACL) on a Microsoft Windows XP-based system is different from the behavior of earlier versions of the DACL. This article describes the behavior of the default DACL when a member of the Administrators group creates a securable object on a Microsoft Windows XP-based system.

↑ Back to the top

More information

When you specify NULL as the LPSECURITY_ATTRIBUTES parameter while you create a securable object, the DACL that is associated with the access token of the caller is used to apply access control on the object. Typically, only the CREATOR OWNER and the LocalSystem local user accounts are granted access to an object.

On a Microsoft Windows NT 4.0-based system and on a Microsoft Windows 2000-based system, members of the BUILTIN\Administrators group are granted access to the secured object if the CREATOR OWNER is a member of the Administrators group.

However, on both a Microsoft Windows XP Professional Edition-based system and a Microsoft Windows XP Home Edition-based system, only the user is specifically granted access to the object, even if the CREATOR OWNER is a member of the Administrators group. On a Windows XP-based system, you can use a security option to control this behavior. In Windows XP, the default value for this security option is Object creator.

To view this security option, follow these steps:
  1. Click Start, and then click Control Panel.
  2. In Control Panel, click Performance and Maintenance.
  3. Click Administrative Tools, and then double-click Local Security Policy.
  4. In the left pane of the Local Security Settings console, expand Local Policies, and then click Security Options.
  5. In the right pane of the Local Security Settings console, double-click System objects: Default owner for objects created by members of the Administrators group.

    Notice the default value for this security option.
The policy specifically applies to the CREATOR OWNER account. Therefore, the policy affects the default DACL when the user's access token is created. The CREATOR OWNER policy will change the permissions that are associated with the default DACL.

Access tokens that are created by a later authentication use the new policy. Duplicate access tokens are not created.

Note On a computer that is running Windows Server 2003, the default security option is Administrators instead of Object creator as it is in Windows XP Professional or Windows Home. On a Windows 2003 Domain Controller, this option is under Domain Security instead of under Local Security Policy.

↑ Back to the top

Keywords: KB318825, kbsecurity, kbkernbase, kbinfo, kbapi

↑ Back to the top

Article Info
Article ID : 318825
Revision : 7
Created on : 11/16/2007
Published on : 11/16/2007
Exists online : False
Views : 421