Understanding SDDL Syntax

Last updated: January 30, 2023
Audience: IT Staff / Technical

What follows is an appendix which pieces together several disparate Microsoft documents on the SDDL syntax. The SDDL syntax is important if you do coding of directory security or manually edit a security template file.

SDDL (Security Descriptor Definition Language)

At the lowest level, the Security Descriptor Definition Language is used in the nTSecurityDescriptor attribute (and on registry keys and NTFS files) to define the ACL. Fortunately, one does not need to know this level of detail in normal conditions. But advanced administrators may want to write scripts or code that can correctly construct SDDL strings. Also the security templates (located at %systemroot%\security\templates\) use SDDL if you manually edit them with a text editor instead of the MMC interface. I’ve found that manually editing these templates turns out to be the most effective way to manipulate them. It is most likely that you will simply need to be able to read a SDDL string, so we’ll try to keep things to only a cursory overview. Further details can be found at http://msdn.microsoft.com/library/.

Format of nTSecurityDescriptor string (bold and italics added for clarity):

O:owner_sidG:group_sidD:dacl_flags(string_ace1)(string_ace2)…(string_acen)S:sacl_flags(string_ace1)(string_ace2)…(string_acen)

Each nTSecurityDescriptor SDDL string is composed of 5 primary parts which correspond to the Header, DACL (D:), SACL (S:), primary group (G:)and owner (O:). Each of these parts is designated with the prefix noted in parenthesis. The header contains some record keeping information, along with 2 flags that designate whether the object is blocking inheritance for the SACL and DACL. The contents of both the primary group and owner parts are simply a single SID. The contents of both the SACL and DACL parts are a string with no fixed length. ACEs make up the contents of these strings. ACEs are enclosed within parenthesis, and there are 6 fields in each ACE. These 6 fields are separated by a semicolon delimiter. The fields are ACE type (allow/deny/audit), ACE flags (inheritance and audit settings), Permissions (list of incremental permissions), ObjectType (GUID), Inherited Object Type (GUID), and Trustee (SID).

ACE Type

The ACE type designates whether the trustee is allowed, denied or audited.

Value Description
“A” ACCESS ALLOWED
“D” ACCESS DENIED
“OA” OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
“OD” OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
“AU” SYSTEM AUDIT
“AL” SYSTEM ALARM
“OU” OBJECT SYSTEM AUDIT
“OL” OBJECT SYSTEM ALARM

ACE Flags

The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the audit settings.

Value Description
“CI” CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
“OI” OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
“NP” NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.
“IO” INHERITANCE ONLY: ACE DOESN’T APPLY TO THIS OBJECT, BUT MAY AFFECT CHILDREN VIA INHERITANCE.
“ID” ACE IS INHERITED
“SA” SUCCESSFUL ACCESS AUDIT
“FA” FAILED ACCESS AUDIT

Permissions

The Permissions are a list of the incremental permissions given (or denied/audited) to the trustee-these correspond to the permissions discussed earlier and are simply appended together. However, the incremental permissions are not the only permissions available. The table below lists all the permissions.

Value Description Hexadecimal Value Binary Bits from 0
Generic access rights
“GA” GENERIC ALL 0x10000000 Bit 28
“GR” GENERIC READ 0x80000000 Bit 31
“GW” GENERIC WRITE 0x40000000 Bit 30
“GX” GENERIC EXECUTE 0x20000000 Bit 29
Directory service access rights
“RC” Read Permissions 0x20000 Bit 17
“SD” Delete 0x10000 Bit 16
“WD” Modify Permissions 0x40000 Bit 18
“WO” Modify Owner 0x80000 Bit 19
“RP” Read All Properties 0x00000010 Bit 4
“WP” Write All Properties 0x00000020 Bit 5
“CC” Create All Child Objects 0x00000001 Bit 0
“DC” Delete All Child Objects 0x00000002 Bit 1
“LC” List Contents 0x00000004 Bit 2
“SW” All Validated Writes 0x00000008 Bit 3
“LO” List Object 0x00000080 Bit 7
“DT” Delete Subtree 0x00000040 Bit 6
“CR” All Extended Rights 0x00000100 Bit 8
File access rights
“FA” FILE ALL ACCESS
“FR” FILE GENERIC READ
“FW” FILE GENERIC WRITE
“FX” FILE GENERIC EXECUTE
Registry key access rights
“KA” KEY ALL ACCESS 0xF003F
“KR” KEY READ 0x20019
“KW” KEY WRITE 0x20006
“KX” KEY EXECUTE 0x20019
KEY CREATE SUB KEYS 0x0004
KEY ENUMERATE SUB KEYS 0x0008
KEY NOTIFY 0x0010
KEY QUERY VALUE 0x0001
KEY SET VALUE 0x0002

Object Type and Inherited Object Type

The ObjectType is a GUID representing an object class, attribute, attribute set, or extended right. If present it limits the ACE to the object the GUID represents. The Inherited Object Type is a GUID representing an object class. If present it limits inheritance of the ACE to the child entries of only that object class.

Trustee

The Trustee is the SID of the user or group being given access (or denied or audited). Instead of a SID, there are several commonly used acronyms for well-known SIDs. The most common are listed in the table below, but you can review more at https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings:

Value Description
“AO” Account operators
“RU” Alias to allow previous Windows 2000
“AN” Anonymous logon
“AU” Authenticated users
“BA” Built-in administrators
“BG” Built-in guests
“BO” Backup operators
“BU” Built-in users
“CA” Certificate server administrators
“CG” Creator group
“CO” Creator owner
“DA” Domain administrators
“DC” Domain computers
“DD” Domain controllers
“DG” Domain guests
“DU” Domain users
“EA” Enterprise administrators
“ED” Enterprise domain controllers
“WD” Everyone
“PA” Group Policy administrators
“IU” Interactively logged-on user
“LA” Local administrator
“LG” Local guest
“LS” Local service account
“SY” Local system
“NU” Network logon user
“NO” Network configuration operators
“NS” Network service account
“PO” Printer operators
“PS” Personal self
“PU” Power users
“RS” RAS servers group
“RD” Terminal server users
“RE” Replicator
“RC” Restricted code
“SA” Schema administrators
“SO” Server operators
“SU” Service logon user

Each of these fields and values has quite a bit of detail to it, and for the purposes of this overview we can’t go into extended detail.

Re-used with permission from Stanford University for which Brian Arkills originally wrote this documentation.