WMI and SDDL

Security descriptor definition language (SDDL) is used to describe the content of a security descriptor as a string.

A security descriptor returned by Get-Acl has a method that can convert the entire security descriptor to a string, as follows:

PS> (Get-Acl C:).GetSecurityDescriptorSddlForm('All')
O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;LC;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;FA;
;;SY)(A;OICIIO;GA;;;SY)(A;OICIIO;GA;;;BA)(A;;FA;;;BA)(A;OICI;0x1200a9;;;BU)

A security descriptor defined using SDDL can also be imported. If the sddlString variable is assumed to hold a valid security descriptor, the following command might be used:

$acl = Get-Acl C: 
$acl.SetSecurityDescriptorSddlForm($sddlString)

The imported security descriptor will not apply to the directory until Set-Acl is used.

WMI security descriptors can be converted to and from different formats, including SDDL. WMI has a specialized class for this: Win32_SecurityDescriptorHelper. The methods for the class are shown here:

PS> (Get-CimClass Win32_SecurityDescriptorHelper).CimClassMethods

Name                  ReturnType    Parameters                Qualifiers          
----                  ----------    ----------                ----------          
Win32SDToSDDL             UInt32    {Descriptor, SDDL}        {implemented, static}
Win32SDToBinarySD         UInt32    {Descriptor, BinarySD}    {implemented, static}
SDDLToWin32SD             UInt32    {SDDL, Descriptor}        {implemented, static}
SDDLToBinarySD            UInt32    {SDDL, BinarySD}          {implemented, static}
BinarySDToWin32SD         UInt32    {BinarySD, Descriptor}    {implemented, static}
BinarySDToSDDL            UInt32    {BinarySD, SDDL}          {implemented, static}

A WMI security descriptor might be converted to SDDL to create a backup before making a change, as follows:

$security = Get-CimInstance __SystemSecurity -Namespace rootcimv2 
$return = $security | Invoke-CimMethod -MethodName GetSecurityDescriptor 
$aclObject = $return.Descriptor 

$params = @{
    ClassName = 'Win32_SecurityDescriptorHelper'
    MethodName = 'Win32SDToSDDL'
    Arguments  = @{
        Descriptor = $aclObject
    }
}
$return = Invoke-CimMethod @params

If the operation succeeds (that is, if the ReturnValue is 0), the security descriptor in the SDDL form will be available:

PS> $return.SDDL
O:BAG:BAD:AR(A;CI;CCDCWP;;;S-1-5-21-2114566378-1333126016-908539190-1001)(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)

A security descriptor expressed as an SDDL string can be imported:

$params = @{
    ClassName = 'Win32_SecurityDescriptorHelper'
    MethodName = 'SDDLToWin32SD'
    Arguments  = @{
        SDDL = 'O:BAG:BAD:AR(A;CI;CCDCWP;;;S-1-5-21-2114566378-1333126016-908539190-1001)(A;CI;CCDCLCSWRPWPRCWD;;;BA)(A;CI;CCDCRP;;;NS)(A;CI;CCDCRP;;;LS)(A;CI;CCDCRP;;;AU)'
    }
}
$return = Invoke-CimMethod @params
$aclObject = $return.Descriptor

If the ReturnValue is 0, the aclObject variable will contain the imported security descriptor:

PS> $aclObject

ControlFlags   : 33028
DACL           : {Win32_ACE, Win32_ACE, Win32_ACE, Win32_ACE...}
Group          : Win32_Trustee
Owner          : Win32_Trustee
SACL           : 
TIME_CREATED   : 
PSComputerName :
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.180.71