Security Descriptor Definition Language (SDDL), is used to describe the content of a security descriptor as a string.
A security descriptor returned by Get-Acl has a method that can convert the entire security descriptor to a string:
PS> (Get-Acl C:).GetSecurityDescriptorSddlForm('All')
O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;LC;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;FA;
;;SY)(A;OICIIO;GA;;;SY)(A;OICIIO;GA;;;BA)(A;;FA;;;BA)(A;OICI;0x1200a9;;;BU)
A security descriptor defined using SDDL can also be imported. If the sddlString variable is assumed to hold a valid security descriptor, the following command might be used:
$acl = Get-Acl C: $acl.SetSecurityDescriptorSddlForm($sddlString)
The imported security descriptor will not apply to the directory until Set-Acl is used.
WMI security descriptors can be converted to and from different formats, including SDDL. WMI has a specialized class for this: Win32_SecurityDescriptorHelper. The methods for the class are as shown following:
PS> (Get-CimClass Win32_SecurityDescriptorHelper).CimClassMethods
Name ReturnType Parameters Qualifiers
---- ---------- ---------- ----------
Win32SDToSDDL UInt32 {Descriptor, SDDL} {implemented, static}
Win32SDToBinarySD UInt32 {Descriptor, BinarySD} {implemented, static}
SDDLToWin32SD UInt32 {SDDL, Descriptor} {implemented, static}
SDDLToBinarySD UInt32 {SDDL, BinarySD} {implemented, static}
BinarySDToWin32SD UInt32 {BinarySD, Descriptor} {implemented, static}
BinarySDToSDDL UInt32 {BinarySD, SDDL} {implemented, static}
A WMI security descriptor might be converted to SDDL to create a backup before making a change:
$security = Get-CimInstance __SystemSecurity -Namespace rootcimv2 $return = $security | Invoke-CimMethod -MethodName GetSecurityDescriptor $aclObject = $return.Descriptor $return = Invoke-CimMethod Win32_SecurityDescriptorHelper -MethodName Win32SDToSDDL -Arguments @{ Descriptor = $aclObject }
If the operation succeeds (that is, if the ReturnValue is 0), the security descriptor in SDDL form will be available:
PS> $return.SDDL
O:BAG:BAD:AR(A;CI;CCDCWP;;;S-1-5-21-2114566378-1333126016-908539190-1001)(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)
A security descriptor expressed as an SDDL string can be imported:
$sddl = 'O:BAG:BAD:AR(A;CI;CCDCWP;;;S-1-5-21-2114566378-1333126016-908539190-1001)(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)' $return = Invoke-CimMethod Win32_SecurityDescriptorHelper -MethodName SDDLToWin32SD -Arguments @{ SDDL = $sddl } $aclObject = $return.Descriptor
If the ReturnValue is 0, the aclObject variable will contain the imported security descriptor:
PS> $aclObject
ControlFlags : 33028
DACL : {Win32_ACE, Win32_ACE, Win32_ACE, Win32_ACE...}
Group : Win32_Trustee
Owner : Win32_Trustee
SACL :
TIME_CREATED :
PSComputerName :