6.1.3.4 Blocking Implicit Owner Rights

The Owner of a security descriptor is implicitly granted READ_CONTROL and WRITE_DAC rights by default. For servers running specific operating systems, these implicit rights are blocked when the following are TRUE:

  • The BlockOwnerImplicitRights dsHeuristic is set to 1 (section 6.1.1.2.4.1.2).

  • The requester is a member of neither the Domain Administrators (section 6.1.1.6.5) or the Enterprise Administrators (section 6.1.1.6.10) group.

  • The objectClass being added or modified is either of type computer or is derived from type computer.

Note: For servers running the operating systems specified in [MSFT-CVE-2021-42291], each with the related MSKB article download installed, implicit rights granted by default to the owner of the security descriptor are blocked when the specified conditions are TRUE.