Blog Post

Ask the Directory Services Team
6 MIN READ

The Security Descriptor Definition Language of Love (Part 2)

NedPyle's avatar
NedPyle
Icon for Microsoft rankMicrosoft
Apr 04, 2019
First published on TechNet on May 07, 2008

Hi. Jim here from DS here with a follow up to my SDDL blog part I. At the end of my last post I promised to dissect further the SDDL output returned by running the CACLS with the /S switch on tools share as follows:



Here is the output exported to a .txt file:


"D:AI(D;OICI;FA;;;BG)(A;;FA;;;BA)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)"


Let’s examine the first segment more closely: "D:AI(D;OICI;FA;;;BG)(A;;FA;;;BA)



Now the second ACE segment: (A;:FA;;;BA)




You get the picture. There is a chart provided at the end which contains all the acronyms in addition to the ones illustrated in this output.


At this point you may be asking why there are there two different ACE entries for Built-in Administrators. The first ACE indicates the ACE applied directly to the object (In this case TOOLS for the BA’s). The second ACE indicates the ACE’s for this object that flow down from TOOLS via inheritance.


This is illustrated in the Permissions tab of Advanced Security Settings for the TOOLS share:



Now you may well be wondering “Jim, how can I use this SDDL wonderment to make my administrative tasks less tedious?"


Well here is an example on how you can do just that.


Scenario: Its Friday at 3pm. You have to deploy 10 printers to the call center. Every single printer should have the exact same security settings for access (oversimplified yes, but you get the point). You need to get this done expediently so as not to miss happy hour. All the printers are IP’d and are installed on your print server. You have applied the necessary security on one printer as follows:



Using the SETPRINTER utility you can view the security applied in SDDL format as follows:



Here is the command as well as the output:


C:\>setprinter -show \\2003dom-member\printer1 3


pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"


Now create yourself a .CMD file containing the following parameters remembering of course to substitute your Print server name and your printer names where indicated. Also be sure NOT to wrap your SDDL parameters as below. This is done here purely for readability. The entire command should be on one line :



setprinter \\”Print_Server_Name”\printer1 3 pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"

setprinter \\”Print_Server_Name”\printer2 3 pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"

setprinter \\”Print_Server_Name”\printer3 3 pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"

end

exit












You may add as many similarly configured printers as you like.


Included below are charts for the acronyms of the SDDL taken directly from MSDN2. These can also be viewed here:


http://msdn2.microsoft.com/en-us/library/aa374928.aspx


ACE Type


The ACE type designates whether the trustee is allowed, denied or audited.



Value



Description



"A"



ACCESS ALLOWED



"D"



ACCESS DENIED



"OA"



OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).



"OD"



OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).



"AU"



SYSTEM AUDIT



"A"



SYSTEM ALARM



"OU"



OBJECT SYSTEM AUDIT



"OL"



OBJECT SYSTEM ALARM



INHERITANCE Flags


"P SDDL_PROTECTED Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" SDDL_AUTO_INHERITED Inheritance is allowed, assuming that "P" Is not also set.
"AR" SDDL_AUTO_INHERIT_REQ Child objects inherit permissions from this object.

ACE Flags The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the audit settings.


Value



Description



"CI"



CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.



"OI"



OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.



"NP"



NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.



"IO"



INHERITANCE ONLY: ACE DOESN'T APPLY TO THIS OBJECT, BUT MAY AFFECT CHILDREN VIA INHERITANCE.



"ID"



ACE IS INHERITED



"SA"



SUCCESSFUL ACCESS AUDIT



"FA"



FAILED ACCESS AUDIT



Permissions

The Permissions are a list of the incremental permissions given (or denied/audited) to the trustee-these correspond to the permissions discussed earlier and are simply appended together. However, the incremental permissions are not the only permissions available. The table below lists all the permissions.


Value



Description



Generic access rights



"GA"



GENERIC ALL



"GR"



GENERIC READ



"GW"



GENERIC WRITE



"GX"



GENERIC EXECUTE



Directory service access rights



"RC"



Read Permissions



"SD"



Delete



"WD"



Modify Permissions



"WO"



Modify Owner



"RP"



Read All Properties



"WP"



Write All Properties



"CC"



Create All Child Objects



"DC"



Delete All Child Objects



"LC"



List Contents



"SW"



All Validated Writes



"LO"



List Object



"DT"



Delete Subtree



"CR"



All Extended Rights



File access rights



"FA"



FILE ALL ACCESS



"FR"



FILE GENERIC READ



"FW"



FILE GENERIC WRITE



"FX"



FILE GENERIC EXECUTE



Registry key access rights



"KA"



KEY ALL ACCESS



"K"



KEY READ



"KW"



KEY WRITE



"KX"



KEY EXECUTE



Object Type and Inherited Object Type
Trustee
The Trustee is the SID of the user or group being given access (or denied or audited). Instead of a SID, there are several commonly used acronyms for well-known SIDs. These are listed in the table below:


Value



Description



"AO"



Account operators



"RU"



Alias to allow previous Windows 2000



"AN"



Anonymous logon



"AU"



Authenticated users



"BA"



Built-in administrators



"BG"



Built-in guests



"BO"



Backup operators



"BU"



Built-in users



"CA"



Certificate server administrators



"CG"



Creator group



"CO"



Creator owner



"DA"



Domain administrators



"DC"



Domain computers



"DD"



Domain controllers



"DG"



Domain guests



"DU"



Domain users



"EA"



Enterprise administrators



"ED"



Enterprise domain controllers



"WD"



Everyone



"PA"



Group Policy administrators



"IU"



Interactively logged-on user



"LA"



Local administrator



"LG"



Local guest



"LS"



Local service account



"SY"



Local system



"NU"



Network logon user



"NO"



Network configuration operators



"NS"



Network service account



"PO"



Printer operators



"PS"



Personal self



"PU"



Power users



"RS"



RAS servers group



"RD"



Terminal server users



"RE"



Replicator



"RC"



Restricted code



"SA"



Schema administrators



"SO"



Server operators



"SU"



Service logon user



I hope you have found this entertaining and informative!


-          Jim Tierney



The ObjectType is a GUID that Identifies a type of child object, a property or property set or an extended right.  If present it limits the ACE to the object the GUID represents.  For a more verbose explanation of this please visit the following link -

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsce_ctl_iunu.mspx?mfr=true

Inherited Object Type contains a GUID that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the ACE's Inheritance Flags and by any protection against inheritance placed on the child object in its Security Descriptor Control Flags.






Updated Apr 04, 2019
Version 2.0