Find knowledge base article(s) by searching for keywords in the title e.g. type linux in the search box below

Find knowledge base article(s) by browsing the subject categories of articles

Technology quick references, cheatsheets, user manuals etc.

Shop Online through ShopifyLite

Tutorials on various IT applications.

What is the format of the Security Descriptor Definition Language (SDDL)

Overview of SDDL (security descriptor definition language) O:ooG:ggD:dd(ACE1)(ACE2)(ACE3)S:ss where O:oo => oo is the owner G:gg => gg is the primary group D:dd => dd is the DACL flag (discretionary ACL) S:ss => ss is the SACL (?) (ACE1)(ACE2)... are the list of DACL ACEs Example ACEs :- A;;0x1;;;AU => A is for allowed access => 0x1 means first bit #1 is on => read allowed => AU means Authenticated users A;;0x2;;;AU => A is for allowed access => 0x2 means first bit #2 is on => write allowed => AU means Authenticated users A;;0x4;;;AU => A is for allowed access => 0x4 means first bit #3 is on => clear allowed => AU means Authenticated users ACE FORMAT :- ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid ACE type string Constant in Sddl.h AceType value "A" SDDL_ACCESS_ALLOWED ACCESS_ALLOWED_ACE_TYPE "D" SDDL_ACCESS_DENIED ACCESS_DENIED_ACE_TYPE "OA" SDDL_OBJECT_ACCESS_ALLOWED ACCESS_ALLOWED_OBJECT_ACE_TYPE "OD" SDDL_OBJECT_ACCESS_DENIED ACCESS_DENIED_OBJECT_ACE_TYPE "AU" SDDL_AUDIT SYSTEM_AUDIT_ACE_TYPE "AL" SDDL_ALARM SYSTEM_ALARM_ACE_TYPE "OU" SDDL_OBJECT_AUDIT SYSTEM_AUDIT_OBJECT_ACE_TYPE "OL" SDDL_OBJECT_ALARM SYSTEM_ALARM_OBJECT_ACE_TYPE ACE flags string Constant in Sddl.h AceFlag value "CI" SDDL_CONTAINER_INHERIT CONTAINER_INHERIT_ACE "OI" SDDL_OBJECT_INHERIT OBJECT_INHERIT_ACE "NP" SDDL_NO_PROPAGATE NO_PROPAGATE_INHERIT_ACE "IO" SDDL_INHERIT_ONLY INHERIT_ONLY_ACE "ID" SDDL_INHERITED INHERITED_ACE "SA" SDDL_AUDIT_SUCCESS SUCCESSFUL_ACCESS_ACE_FLAG "FA" SDDL_AUDIT_FAILURE FAILED_ACCESS_ACE_FLAG Access rights string Constant in Sddl.h Access right value Generic access rights "GA" SDDL_GENERIC_ALL GENERIC_ALL "GR" SDDL_GENERIC_READ GENERIC_READ "GW" SDDL_GENERIC_WRITE GENERIC_WRITE "GX" SDDL_GENERIC_EXECUTE GENERIC_EXECUTE Standard access rights "RC" SDDL_READ_CONTROL READ_CONTROL "SD" SDDL_STANDARD_DELETE DELETE "WD" SDDL_WRITE_DAC WRITE_DAC "WO" SDDL_WRITE_OWNER WRITE_OWNER Directory service object access rights "RP" SDDL_READ_PROPERTY ADS_RIGHT_DS_READ_PROP "WP" SDDL_WRITE_PROPERTY ADS_RIGHT_DS_WRITE_PROP "CC" SDDL_CREATE_CHILD ADS_RIGHT_DS_CREATE_CHILD "DC" SDDL_DELETE_CHILD ADS_RIGHT_DS_DELETE_CHILD "LC" SDDL_LIST_CHILDREN ADS_RIGHT_DS_LIST "SW" SDDL_SELF_WRITE ADS_RIGHT_DS_SELF "LO" SDDL_LIST_OBJECT ADS_RIGHT_DS_LIST_OBJECT "DT" SDDL_DELETE_TREE ADS_RIGHT_DS_DELETE_TREE "CR" SDDL_CONTROL_ACCESS ADS_RIGHT_DS_CONTROL_ACCESS File access rights "FA" SDDL_FILE_ALL FILE_ALL_ACCESS "FR" SDDL_FILE_READ FILE_GENERIC_READ "FW" SDDL_FILE_WRITE FILE_GENERIC_WRITE "FX" SDDL_FILE_EXECUTE FILE_GENERIC_EXECUTE Registry key access rights "KA" SDDL_KEY_ALL KEY_ALL_ACCESS "KR" SDDL_KEY_READ KEY_READ "KW" SDDL_KEY_WRITE KEY_WRITE "KX" SDDL_KEY_EXECUTE KEY_EXECUTE SID string Constant in Sddl.h Account alias and corresponding RID "AO" SDDL_ACCOUNT_OPERATORS Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS. "RU" SDDL_ALIAS_PREW2KCOMPACC Alias to grant permissions to accounts that use applications compatible with Windows NT 4.0 operating systems. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS. "AN" SDDL_ANONYMOUS Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID. "AU" SDDL_AUTHENTICATED_USERS Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID. "BA" SDDL_BUILTIN_ADMINISTRATORS Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS. "BG" SDDL_BUILTIN_GUESTS Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS. "BO" SDDL_BACKUP_OPERATORS Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS. "BU" SDDL_BUILTIN_USERS Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS. "CA" SDDL_CERT_SERV_ADMINISTRATORS Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS. "CG" SDDL_CREATOR_GROUP Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID. "CO" SDDL_CREATOR_OWNER Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID. "DA" SDDL_DOMAIN_ADMINISTRATORS Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS. "DC" SDDL_DOMAIN_COMPUTERS Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS. "DD" SDDL_DOMAIN_DOMAIN_CONTROLLERS Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS. "DG" SDDL_DOMAIN_GUESTS Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS. "DU" SDDL_DOMAIN_USERS Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS. "EA" SDDL_ENTERPRISE_ADMINS Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS. "ED" SDDL_ENTERPRISE_DOMAIN_CONTROLLERS Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID. "WD" SDDL_EVERYONE Everyone. The corresponding RID is SECURITY_WORLD_RID. "PA" SDDL_GROUP_POLICY_ADMINS Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS. "IU" SDDL_INTERACTIVE Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID. "LA" SDDL_LOCAL_ADMIN Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN. "LG" SDDL_LOCAL_GUEST Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST. "LS" SDDL_LOCAL_SERVICE Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID. "SY" SDDL_LOCAL_SYSTEM Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID. "NU" SDDL_NETWORK Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID. "NO" SDDL_NETWORK_CONFIGURATION_OPS Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS. "NS" SDDL_NETWORK_SERVICE Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID. "PO" SDDL_PRINTER_OPERATORS Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS. "PS" SDDL_PERSONAL_SELF Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID. "PU" SDDL_POWER_USERS Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS. "RS" SDDL_RAS_SERVERS RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS. "RD" SDDL_REMOTE_DESKTOP Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS. "RE" SDDL_REPLICATOR Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR. "RC" SDDL_RESTRICTED_CODE Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID. "SA" SDDL_SCHEMA_ADMINISTRATORS Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS. "SO" SDDL_SERVER_OPERATORS Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS. "SU" SDDL_SERVICE Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID.