6.1.6.7.5 nTSecurityDescriptor

A mandatory object attribute that contains the security descriptor that is tied to the Active Directory object. The security descriptor mandates access controls to the object. TDOs are sensitive objects and have tight access controls placed upon them. Stored as the type String(NT-Sec-Desc) in SDDL ([MS-DTYP] section 2.5.1), the default security descriptor for TDOs is as follows.

 Platforms    Default Security Descriptor in SDDL Format
 ---------    ------------------------------------------
 W2000        D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLOR
              CWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
  
 W2003        D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLOR
 W2003R2      CWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(OA;;WP;736e4812-af31-
 W2008        11d2-b7df-00805f48caeb;bf967ab8-0de6-11d0-a285-00aa003049
 W2008R2      e2;CO)(A;;SD;;;CO)