6 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

Windows Client

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Vista operating system

  • Windows 7 operating system

  • Windows 8 operating system

  • Windows 8.1 operating system

  • Windows 10 operating system

  • Windows 11 operating system

Windows Server

  • Windows NT

  • Windows 2000

  • Windows Server 2003 operating system

  • Windows Server 2008 operating system

  • Windows Server 2008 R2 operating system

  • Windows Server 2012 operating system

  • Windows Server 2012 R2 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

  • Windows Server 2022 operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.1: Windows is implemented on little-endian systems.

<2> Section 2.3.2: Not supported in Windows versions earlier than the Windows 10 v1709 operating system client or the Windows Server v1709 operating system server releases. The control GUID will usually be found in the ExtendedData array. Typically, the presence of this flag indicates that the event is associated with an automatically-generated manifest, such as one generated by the Windows software trace preprocessor.

<3> Section 2.3.2: Not supported in Windows versions earlier than the Windows 8 client or Windows Server 2012 server releases.

<4> Section 2.3.8: Windows implementations access the Value field with non-standard string functions to add or extract strings from the buffer. If standard C conventions were followed, the Value datatype would nominally be wchar_t**.

<5> Section 2.4.1: Only Windows Server 2012 and Windows Server 2012 R2 acting as Kerberos KDCs support this value.

<6> Section 2.4.1: Only Windows Server 2012 and Windows Server 2012 R2 acting as Kerberos KDCs support this value for protocol transition (S4U2Self)-based service tickets

<7> Section 2.4.2.4: Not supported in Windows Vista and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<8> Section 2.4.2.4: Not supported by Windows 2000.

<9> Section 2.4.2.4: Not supported by Windows 2000.

<10> Section 2.4.2.4: Not supported by Windows 2000.

<11> Section 2.4.2.4: Windows server versions earlier than Windows Server 2003 and client versions earlier than Windows XP operating system Service Pack 2 (SP2) included the Guest account in the Authenticated Users group.

<12> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. The DC adds this SID:

  • When the user is a member of the forest.

  • When the user is not a member of the forest and the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is not set.

<13> Section 2.4.2.4: The COMPOUNDED_AUTHENTICATION SID is not supported in Windows 7 operating system and earlier client releases or Windows Server 2008 R2 operating system and earlier server releases.

<14> Section 2.4.2.4:  The CLAIMS_VALID SID is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<15> Section 2.4.2.4: The PROTECTED_USERS SID is not supported in Windows 8 and earlier client releases or Windows Server 2012 and earlier server releases.

<16> Section 2.4.2.4: The KEY_ADMINS SID is not supported in Windows 8.1 and earlier client releases or Windows Server 2012 R2 and earlier server releases.

<17> Section 2.4.2.4: The ENTERPRISE_KEY_ADMINS SID is not supported in Windows 8.1 and earlier client releases or Windows Server 2012 R2 and earlier server releases.

<18> Section 2.4.2.4: The ALLOWED_RODC_PASSWORD_REPLICATION_GROUP SID is not supported in Windows Vista and earlier client releases or Windows Server 2003 and earlier server releases.

<19> Section 2.4.2.4: The DENIED_RODC_PASSWORD_REPLICATION_GROUP SID is not supported in Windows Vista and earlier client releases or Windows Server 2003 and earlier server releases.

<20> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. An alias added by Windows 2000 operating system. Not supported by Windows NT.

<21> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Not supported by Windows NT, Windows 2000, or Windows XP.

<22> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Not supported by Windows NT, Windows 2000, or Windows XP.

<23> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Not supported by Windows NT, Windows 2000, or Windows XP.

<24> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Not supported by Windows NT, Windows 2000, or Windows XP.

<25> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Not supported by Windows NT, Windows 2000, or Windows XP.

<26> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Not supported by Windows NT, Windows 2000, or Windows XP.

<27> Section 2.4.2.4: A new local group is created for Windows Server 2003 operating system with Service Pack 1 (SP1) and later server releases.

<28> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Not supported by Windows NT, Windows 2000, or Windows XP.

<29> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Not supported by Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<30> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain. Not supported by Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<31> Section 2.4.2.4: A built-in group that is created when a domain controller is added to the domain Not supported by Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<32> Section 2.4.2.4: The THIS_ORGANIZATION_CERTIFICATE SID is not supported in Windows Vista and earlier client releases or Windows Server 2008 and earlier server releases.

<33> Section 2.4.2.4: The LOCAL_ACCOUNT SID is not supported in Windows 8 and earlier client releases or Windows Server 2012 and earlier server releases.

<34> Section 2.4.2.4: The LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP SID is not supported in Windows 8 and earlier client releases or Windows Server 2012 and earlier server releases.

<35> Section 2.4.2.4: Supported in Windows Server 2003 and Windows Server 2008. When the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust Attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object is set:

  • If the forest boundary is crossed, Windows domain controllers add this SID.

  • If Windows domain controllers receive requests to authenticate to resources in their domain, they check the computer object to ensure that this SID is allowed. In Windows, by default this applies to NTLM (as specified in [MS-NLMP] and [MS-APDS]), to Kerberos (as specified in [MS-KILE] and [MS-APDS]), and to TLS (as specified in [MS-TLSP] and [MS-SFU]).

<36> Section 2.4.2.4: The ML_SECURE_PROCESS SID is not supported in Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<37> Section 2.4.2.4: The AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY SID is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<38> Section 2.4.2.4: Only Kerberos KDCs provide this SID, which is not supported in Windows Server 2008 R2 and earlier server releases.

<39> Section 2.4.2.4: The SERVICE_ASSERTED_IDENTITY SID is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<40> Section 2.4.2.4: Only Kerberos KDCs provide this SID for protocol transition (S4U2Self) based service tickets, which are not supported in Windows Server 2008 R2 and earlier server releases.

<41> Section 2.4.2.4: Only Kerberos KDCs provide this SID for tickets based on [IETFDRAFT-PK-FRESH]. FRESH_PUBLIC_KEY_IDENTITY is not supported in Windows Server 2012 R2 and earlier server releases.

<42> Section 2.4.2.4: Only Kerberos KDCs provide this SID when key trust attributes are used for validation. KEY_TRUST_ IDENTITY is not supported in Windows Server 2012 R2 and earlier server releases.

<43> Section 2.4.2.4: Only Kerberos KDCs provide this SID when key trust attributes for MFA is true. KEY_PROPERTY_MFA is not supported in Windows Server 2012 R2 and earlier server releases.

<44> Section 2.4.2.4: Only Kerberos KDCs provide this SID when key trust attributes for attestation is true. KEY_PROPERTY_ATTESTATION is not supported in Windows Server 2012 R2 and earlier server releases.

<45> Section 2.4.4.1: Windows NT 4.0 operating system: Not supported.

<46> Section 2.4.4.1: Windows NT 4.0: Not supported.

<47> Section 2.4.4.1: Windows NT 4.0: Not supported.

<48> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<49> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<50> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<51> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<52> Section 2.4.4.1: Windows NT 4.0 and Windows 2000: Not supported.

<53> Section 2.4.4.1: Callback in this context relates to the local-only AuthzAccessCheck function, as described in [MSDN-AuthzAccessCheck].

<54> Section 2.4.4.1: Windows NT 4.0: Not supported.

<55> Section 2.4.4.13: This construct is not supported by Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<56> Section 2.4.4.17: Conditional ACEs are not supported in Windows Vista and earlier client releases or Windows Server 2008 and earlier server releases.

<57> Section 2.4.4.17.6: The Device_Member_of token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<58> Section 2.4.4.17.6: The Member_of_Any token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<59> Section 2.4.4.17.6: The Device_Member_of_Any token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<60> Section 2.4.4.17.6: The Not_Member_of token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<61> Section 2.4.4.17.6: The Not_Device_Member_of token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<62> Section 2.4.4.17.6: The Not_Member_of_Any token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<63> Section 2.4.4.17.6: The Not_Device_Member_of_Any token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<64> Section 2.4.4.17.6: The @Prefixed form is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<65> Section 2.4.4.17.6: Windows implementations do not set this flag by default.

<66> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the LHS is an attribute name in simple form and RHS is a single literal value. Evaluates to TRUE if the set of values for the specified LHS includes a value identical to the specified literal; otherwise, FALSE.

<67> Section 2.4.4.17.6: For Windows 7 and Windows Server 2008 R2, the RHS is either a list of literals or a single literal value. Evaluates to TRUE if the LHS is a superset of the value of the specified RHS; otherwise, FALSE.

<68> Section 2.4.4.17.6: The Not_Contains token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<69> Section 2.4.4.17.6: The Not_Any_of token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<70> Section 2.4.4.17.7: The Not_Exists token is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<71> Section 2.4.5: Not supported in Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<72> Section 2.4.6: Windows typically presents the target fields in this order: Sacl, Dacl, OwnerSid, GroupSid.

<73> Section 2.4.6: Windows sets Sbz1 to zero for Windows resources.

<74> Section 2.4.6: This field is intended only for use by the POSIX subsystem and is otherwise ignored by the Windows access control components.

<75> Section 2.4.10.1: These values are not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<76> Section 2.4.10.1: These values are not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<77> Section 2.4.10.1: This value is ignored by Windows when set on a security descriptor.

<78> Section 2.4.10.2: The CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_RELATIVE structure is not supported in Windows Vista and earlier client releases or Windows Server 2008 and earlier server releases.

<79> Section 2.5.1: SDDL was introduced in Windows 2000.

<80> Section 2.5.1.1: GUIDs are not supported on Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<81> Section 2.5.1.1: For the domain built-in ADMINISTRATOR (S-1-5-21-<domain>-500), Windows passes the actual SID, not the "LA" token. Reporting tools might convert this back to a token when examining the SDDL.

<82> Section 2.5.1.1: Not all conditional ACE types are supported in the SDDL. The conditional ACE types ACCESS_ALLOWED_CALLBACK_ACE and ACCESS_DENIED_CALLBACK_ACE are not supported in Windows Vista and earlier client releases or Windows Server 2008 and earlier server releases. The conditional ACE types ACCESS_ALLOWED_CALLBACK_OBJECT_ACE and SYSTEM_AUDIT_CALLBACK_ACE are not supported in Windows 7 or Windows Server 2008 R2.

<83> Section 2.5.1.1: The central-policy-ace ACE is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<84> Section 2.5.1.1: The capid-value-sid ACE is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<85> Section 2.5.1.1: The resource-attribute-ace ACE is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<86> Section 2.5.1.1: The attribute-data ACE is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<87> Section 2.5.1.1: "Member_of", "Not_Member_of", "Member_of_Any", "Not_Member_of_Any", "Device_Member_of", "Device_Member_of_Any", "Not_Device_Member_of", and "Not_Device_Member_of_Any" are not supported in Windows Vista and earlier client releases or Windows Server 2008 and earlier server releases. Only "Member_of" is supported in Windows 7 and Windows Server 2008 R2.

<88> Section 2.5.1.1: The rel-op2 string is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<89> Section 2.5.1.1: Not_Contains is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<90> Section 2.5.1.1: Not_Any is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<91> Section 2.5.1.1: Use of the @ symbol in the simple form is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<92> Section 2.5.1.1: The rel-op2 string is not supported in Windows 7 and earlier client releases or Windows Server 2008 R2 and earlier server releases.

<93> Section 2.5.2: For all Windows versions except Windows XP and Windows Server 2003, the policy is that OwnerIndex is always the same as UserIndex, except for members of the local Administrators group, in which case the OwnerIndex is set to the index for the SID representing the Administrators group. For Windows XP and Windows Server 2003, there is a policy that allows the OwnerIndex to be the UserIndex under all conditions.

<94> Section 2.5.3.1.4: An implementation-specific local recovery policy is a central access policy that allows the implementation itself, and the authorities that manage it, access to the resource being protected in disaster recovery scenarios. The Windows local recovery policy ensures administrators and the system have access to resources while Windows is booted in safe mode.

<95> Section 2.5.3.3: The Windows integrity mechanism extension is not supported in Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

<96> Section 2.5.3.4: Assigning the owner and group fields in the security descriptor uses the following logic:

  1. If the security descriptor that is supplied for the object by the caller includes an owner, it is assigned as the owner of the new object. Otherwise, if the DEFAULT_OWNER_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same owner as the parent object. If this flag is not set, the default owner specified by the token (see section 2.5.3.4.1) is assigned.

  2. If the security descriptor that is supplied for the object by the caller includes a group, it is assigned as the group of the new object. Otherwise, if the DEFAULT_GROUP_FROM_PARENT flag (see section 2.5.3.4.1) is set, the new object is assigned the same primary group as the parent object. If this flag is not set, the default group specified by the token (see section 2.5.3.4.1) is assigned.