WMI and SDDL

Security Descriptor Definition Language (SDDL), is used to describe the content of a security descriptor as a string.

A security descriptor returned by Get-Acl has a method that can convert the entire security descriptor to a string:

PS> (Get-Acl C:).GetSecurityDescriptorSddlForm('All')
O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;LC;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;FA;
;;SY)(A;OICIIO;GA;;;SY)(A;OICIIO;GA;;;BA)(A;;FA;;;BA)(A;OICI;0x1200a9;;;BU)

A security descriptor defined using SDDL can also be imported. If the sddlString variable is assumed to hold a valid security descriptor, the following command might be used:

$acl = Get-Acl C: 
$acl.SetSecurityDescriptorSddlForm($sddlString)

The imported security descriptor will not apply to the directory until Set-Acl is used.

WMI security descriptors can be converted to and from different formats, including SDDL. WMI has a specialized class for this: Win32_SecurityDescriptorHelper. The methods for the class are as shown following:

PS> (Get-CimClass Win32_SecurityDescriptorHelper).CimClassMethods
Name              ReturnType Parameters             Qualifiers          
----              ---------- ----------             ----------          
Win32SDToSDDL         UInt32 {Descriptor, SDDL}     {implemented, static}
Win32SDToBinarySD     UInt32 {Descriptor, BinarySD} {implemented, static}
SDDLToWin32SD         UInt32 {SDDL, Descriptor}     {implemented, static}
SDDLToBinarySD        UInt32 {SDDL, BinarySD}       {implemented, static}
BinarySDToWin32SD     UInt32 {BinarySD, Descriptor} {implemented, static}
BinarySDToSDDL        UInt32 {BinarySD, SDDL}       {implemented, static}

A WMI security descriptor might be converted to SDDL to create a backup before making a change:

$security = Get-CimInstance __SystemSecurity -Namespace rootcimv2 
$return = $security | Invoke-CimMethod -MethodName GetSecurityDescriptor 
$aclObject = $return.Descriptor 
 
$return = Invoke-CimMethod Win32_SecurityDescriptorHelper -MethodName Win32SDToSDDL -Arguments @{ 
    Descriptor = $aclObject 
}

If the operation succeeds (that is, if the ReturnValue is 0), the security descriptor in SDDL form will be available:

PS> $return.SDDL
O:BAG:BAD:AR(A;CI;CCDCWP;;;S-1-5-21-2114566378-1333126016-908539190-1001)(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)

A security descriptor expressed as an SDDL string can be imported:

$sddl = 'O:BAG:BAD:AR(A;CI;CCDCWP;;;S-1-5-21-2114566378-1333126016-908539190-1001)(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)' 
$return = Invoke-CimMethod Win32_SecurityDescriptorHelper -MethodName SDDLToWin32SD -Arguments @{ 
    SDDL = $sddl 
} 
$aclObject = $return.Descriptor

If the ReturnValue is 0, the aclObject variable will contain the imported security descriptor:

PS> $aclObject

ControlFlags   : 33028
DACL           : {Win32_ACE, Win32_ACE, Win32_ACE, Win32_ACE...}
Group          : Win32_Trustee
Owner          : Win32_Trustee
SACL           : 
TIME_CREATED   : 
PSComputerName :
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.140.196.244