Security descriptor definition language (SDDL) is used to describe the content of a security descriptor as a string.
A security descriptor returned by Get-Acl has a method that can convert the entire security descriptor to a string, as follows:
PS> (Get-Acl C:).GetSecurityDescriptorSddlForm('All')
O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;LC;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;FA;
;;SY)(A;OICIIO;GA;;;SY)(A;OICIIO;GA;;;BA)(A;;FA;;;BA)(A;OICI;0x1200a9;;;BU)
A security descriptor defined using SDDL can also be imported. If the sddlString variable is assumed to hold a valid security descriptor, the following command might be used:
$acl = Get-Acl C: $acl.SetSecurityDescriptorSddlForm($sddlString)
The imported security descriptor will not apply to the directory until Set-Acl is used.
WMI security descriptors can be converted to and from different formats, including SDDL. WMI has a specialized class for this: Win32_SecurityDescriptorHelper. The methods for the class are shown here:
PS> (Get-CimClass Win32_SecurityDescriptorHelper).CimClassMethods
Name ReturnType Parameters Qualifiers
---- ---------- ---------- ----------
Win32SDToSDDL UInt32 {Descriptor, SDDL} {implemented, static}
Win32SDToBinarySD UInt32 {Descriptor, BinarySD} {implemented, static}
SDDLToWin32SD UInt32 {SDDL, Descriptor} {implemented, static}
SDDLToBinarySD UInt32 {SDDL, BinarySD} {implemented, static}
BinarySDToWin32SD UInt32 {BinarySD, Descriptor} {implemented, static}
BinarySDToSDDL UInt32 {BinarySD, SDDL} {implemented, static}
A WMI security descriptor might be converted to SDDL to create a backup before making a change, as follows:
$security = Get-CimInstance __SystemSecurity -Namespace rootcimv2 $return = $security | Invoke-CimMethod -MethodName GetSecurityDescriptor $aclObject = $return.Descriptor
$params = @{
ClassName = 'Win32_SecurityDescriptorHelper'
MethodName = 'Win32SDToSDDL'
Arguments = @{
Descriptor = $aclObject
}
}
$return = Invoke-CimMethod @params
If the operation succeeds (that is, if the ReturnValue is 0), the security descriptor in the SDDL form will be available:
PS> $return.SDDL
O:BAG:BAD:AR(A;CI;CCDCWP;;;S-1-5-21-2114566378-1333126016-908539190-1001)(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)
A security descriptor expressed as an SDDL string can be imported:
$params = @{
ClassName = 'Win32_SecurityDescriptorHelper'
MethodName = 'SDDLToWin32SD'
Arguments = @{
SDDL = 'O:BAG:BAD:AR(A;CI;CCDCWP;;;S-1-5-21-2114566378-1333126016-908539190-1001)(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)'
}
}
$return = Invoke-CimMethod @params
$aclObject = $return.Descriptor
If the ReturnValue is 0, the aclObject variable will contain the imported security descriptor:
PS> $aclObject
ControlFlags : 33028
DACL : {Win32_ACE, Win32_ACE, Win32_ACE, Win32_ACE...}
Group : Win32_Trustee
Owner : Win32_Trustee
SACL :
TIME_CREATED :
PSComputerName :