how to decipher sddl for useful stuff

i was counting my lucky stars that i never had to give any thought to deciphering SDDLs (security descriptor definition language). some people have written entire diatribes on the subject. for me, i just need a reference. hence, my posting... sddl is broken down into four parts:

• object
• primary group
• dacl
• sacl

sddl string is easier to look at like this since there are no spaces or visible terminators other than the colon:

• o:[sid_string]g:[sid_string]d:[dacl_flags](ace_string)

it's important to note the format of the ace string is broken down like this:

• [ace_type];[ace_flags];[rights];[object_guid];[inherit_object_guid];[account_sid]

i created a file called text.txt in my c:\temp directory. in the GUI, it's expressed as this:

• Administrators - Full Control
• SYSTEM - Full Control
• Users - Read & Execute

in sddl, it's expressed as:

O:BAG:DUD:ARAI(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;BU)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)

from this, we know that the first segment is for owner:

• O:BA - builtin administrators

the second segment is for primary group:

• G:DU - domain users

the third segment is the dacl, including the dacl flag that precedes the value in parenthesis:

• D:ARAI - basically inheritance

the value in parenthesis is the ace string. it's broken down like this:

• A; - allow type
• ; - ace flag
• FA; - file access all
• ; - object guid
• ; - inherit object guid
• BA - builtin administrators