O R G A N I C / F E R T I L I Z E R: how to decipher sddl for useful stuff

Dec 30, 2005

how to decipher sddl for useful stuff

i was counting my lucky stars that i never had to give any thought to deciphering SDDLs (security descriptor definition language). some people have written entire diatribes on the subject. for me, i just need a reference. hence, my posting... sddl is broken down into four parts:
sddl string is easier to look at like this since there are no spaces or visible terminators other than the colon:
it's important to note the format of the ace string is broken down like this:
  • [ace_type];[ace_flags];[rights];[object_guid];[inherit_object_guid];[account_sid]
i created a file called text.txt in my c:\temp directory. in the GUI, it's expressed as this:
  • Administrators - Full Control
  • SYSTEM - Full Control
  • Users - Read & Execute
in sddl, it's expressed as:
O:BAG:DUD:ARAI(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;BU)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)

from this, we know that the first segment is for owner:
  • O:BA - builtin administrators
the second segment is for primary group:
  • G:DU - domain users
the third segment is the dacl, including the dacl flag that precedes the value in parenthesis:
  • D:ARAI - basically inheritance
the value in parenthesis is the ace string. it's broken down like this:
  • A; - allow type
  • ; - ace flag
  • FA; - file access all
  • ; - object guid
  • ; - inherit object guid
  • BA - builtin administrators