Is there a tool to generate SDDL (Security Descriptor Definition Language) strings? I'd like to create them through Windows' Security property sheet or something similar.
Asked
Active
Viewed 1.6k times
2 Answers
19
One way is to set the ACL on a file (using the standard property sheet -- i.e. right click and choose Properties, then go to the Security tab), then use CACLS filename /S to display the resulting ACL in the SDDL format.
Ilya
- 5,533
- 2
- 29
- 57
-
1This is really good tip to construct SDDL if you don't want to go through the complex SDDL syntax to format it. I like it. :-) – Sitaram Pamarthi Jun 26 '12 at 12:22
-
Will not work for custom (non in-built) user accounts. – Ajay Apr 28 '17 at 09:22
-
@Ajay - Would it work for [AD-accounts and groups](https://en.wikipedia.org/wiki/Active_Directory) as well as built-in groups? For stable environments the identifiers of AD-entities should be known ahead of deployment? Most of the time you would permission based on groups and not user accounts? (users come and go, but groups remain stable). – Stein Åsmul Mar 30 '18 at 20:18
7
For those who want to get the SDDL string for registry keys permissions you can use PowerShell:
Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | Format-List
arminb
- 2,036
- 3
- 24
- 43