18

Is there a tool to generate SDDL (Security Descriptor Definition Language) strings? I'd like to create them through Windows' Security property sheet or something similar.

Ilya
  • 5,533
  • 2
  • 29
  • 57

2 Answers2

19

One way is to set the ACL on a file (using the standard property sheet -- i.e. right click and choose Properties, then go to the Security tab), then use CACLS filename /S to display the resulting ACL in the SDDL format.

Ilya
  • 5,533
  • 2
  • 29
  • 57
  • 1
    This is really good tip to construct SDDL if you don't want to go through the complex SDDL syntax to format it. I like it. :-) – Sitaram Pamarthi Jun 26 '12 at 12:22
  • Will not work for custom (non in-built) user accounts. – Ajay Apr 28 '17 at 09:22
  • @Ajay - Would it work for [AD-accounts and groups](https://en.wikipedia.org/wiki/Active_Directory) as well as built-in groups? For stable environments the identifiers of AD-entities should be known ahead of deployment? Most of the time you would permission based on groups and not user accounts? (users come and go, but groups remain stable). – Stein Åsmul Mar 30 '18 at 20:18
7

For those who want to get the SDDL string for registry keys permissions you can use PowerShell:

Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | Format-List
arminb
  • 2,036
  • 3
  • 24
  • 43