Is there a tool to generate SDDL (Security Descriptor Definition Language) strings?

Question

Is there a tool to generate SDDL (Security Descriptor Definition Language) strings? I'd like to create them through Windows' Security property sheet or something similar.

Ilya · Accepted Answer · 2015-05-26T15:56:18.910

16

One way is to set the ACL on a file (using the standard property sheet -- i.e. right click and choose Properties, then go to the Security tab), then use CACLS filename /S to display the resulting ACL in the SDDL format.

edited May 26 '15 at 15:56

answered Mar 28 '12 at 13:26

Ilya

5,385
2
26
55

This is really good tip to construct SDDL if you don't want to go through the complex SDDL syntax to format it. I like it. :-) – Sitaram Pamarthi Jun 26 '12 at 12:22
Will not work for custom (non in-built) user accounts. – Ajay Apr 28 '17 at 09:22
@Ajay - Would it work for [AD-accounts and groups](https://en.wikipedia.org/wiki/Active_Directory) as well as built-in groups? For stable environments the identifiers of AD-entities should be known ahead of deployment? Most of the time you would permission based on groups and not user accounts? (users come and go, but groups remain stable). – Stein Åsmul Mar 30 '18 at 20:18

score 4 · Answer 2 · answered Nov 29 '16 at 17:49

4

For those who want to get the SDDL string for registry keys permissions you can use PowerShell:

Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | Format-List

answered Nov 29 '16 at 17:49

arminb

1,915
3
23
39

Is there a tool to generate SDDL (Security Descriptor Definition Language) strings?

2 Answers2

Linked