The Security Descriptor Definition Language of Love (Part 2)
Hi. Jim here from DS here with a follow up to my SDDL blog part I. At the end of my last post I promised to dissect further the SDDL output returned by running the CACLS with the /S switch on tools share as follows:
Here is the output exported to a .txt file:
"D:AI(D;OICI;FA;;;BG)(A;;FA;;;BA)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)"
Let’s examine the first segment more closely: "D:AI(D;OICI;FA;;;BG)(A;;FA;;;BA)
Now the second ACE segment: (A;:FA;;;BA)
You get the picture. There is a chart provided at the end which contains all the acronyms in addition to the ones illustrated in this output.
At this point you may be asking why there are there two different ACE entries for Built-in Administrators. The first ACE indicates the ACE applied directly to the object (In this case TOOLS for the BA’s). The second ACE indicates the ACE’s for this object that flow down from TOOLS via inheritance.
This is illustrated in the Permissions tab of Advanced Security Settings for the TOOLS share:
![clip_image002[5]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/askds/WindowsLiveWriter/TheSecurityDescriptorDefinitionLanguageo_AFCE/clip_image002%5B5%5D.jpg)
Now you may well be wondering “Jim, how can I use this SDDL wonderment to make my administrative tasks less tedious?"
Well here is an example on how you can do just that.
Scenario: Its Friday at 3pm. You have to deploy 10 printers to the call center. Every single printer should have the exact same security settings for access (oversimplified yes, but you get the point). You need to get this done expediently so as not to miss happy hour. All the printers are IP’d and are installed on your print server. You have applied the necessary security on one printer as follows:
Using the SETPRINTER utility you can view the security applied in SDDL format as follows:
Here is the command as well as the output:
C:\>setprinter -show \\2003dom-member\printer1 3
pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"
Now create yourself a .CMD file containing the following parameters remembering of course to substitute your Print server name and your printer names where indicated. Also be sure NOT to wrap your SDDL parameters as below. This is done here purely for readability. The entire command should be on one line :
setprinter \\”Print_Server_Name”\printer1 3 pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"
setprinter \\”Print_Server_Name”\printer2 3 pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"
setprinter \\”Print_Server_Name”\printer3 3 pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"
end
exit
You may add as many similarly configured printers as you like.
Included below are charts for the acronyms of the SDDL taken directly from MSDN2. These can also be viewed here:
https://msdn2.microsoft.com/en-us/library/aa374928.aspx
ACE Type
The ACE type designates whether the trustee is allowed, denied or audited.
Value |
Description |
"A" |
ACCESS ALLOWED |
"D" |
ACCESS DENIED |
"OA" |
OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S). |
"OD" |
OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S). |
"AU" |
SYSTEM AUDIT |
"A" |
SYSTEM ALARM |
"OU" |
OBJECT SYSTEM AUDIT |
"OL" |
OBJECT SYSTEM ALARM |
INHERITANCE Flags
| "P | SDDL_PROTECTED | Inheritance from containers that are higher in the folder hierarchy are blocked. |
| "AI" | SDDL_AUTO_INHERITED | Inheritance is allowed, assuming that "P" Is not also set. |
| "AR" | SDDL_AUTO_INHERIT_REQ | Child objects inherit permissions from this object. |
ACE Flags The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the audit settings.
Value |
Description |
"CI" |
CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. |
"OI" |
OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. |
"NP" |
NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE. |
"IO" |
INHERITANCE ONLY: ACE DOESN'T APPLY TO THIS OBJECT, BUT MAY AFFECT CHILDREN VIA INHERITANCE. |
"ID" |
ACE IS INHERITED |
"SA" |
SUCCESSFUL ACCESS AUDIT |
"FA" |
FAILED ACCESS AUDIT |
Permissions
The Permissions are a list of the incremental permissions given (or denied/audited) to the trustee-these correspond to the permissions discussed earlier and are simply appended together. However, the incremental permissions are not the only permissions available. The table below lists all the permissions.
|
Value |
Description |
|
Generic access rights |
|
|
"GA" |
GENERIC ALL |
|
"GR" |
GENERIC READ |
|
"GW" |
GENERIC WRITE |
|
"GX" |
GENERIC EXECUTE |
|
Directory service access rights |
|
|
"RC" |
Read Permissions |
|
"SD" |
Delete |
|
"WD" |
Modify Permissions |
|
"WO" |
Modify Owner |
|
"RP" |
Read All Properties |
|
"WP" |
Write All Properties |
|
"CC" |
Create All Child Objects |
|
"DC" |
Delete All Child Objects |
|
"LC" |
List Contents |
|
"SW" |
All Validated Writes |
|
"LO" |
List Object |
|
"DT" |
Delete Subtree |
|
"CR" |
All Extended Rights |
|
File access rights |
|
|
"FA" |
FILE ALL ACCESS |
|
"FR" |
FILE GENERIC READ |
|
"FW" |
FILE GENERIC WRITE |
|
"FX" |
FILE GENERIC EXECUTE |
|
Registry key access rights |
|
|
"KA" |
KEY ALL ACCESS |
|
"K" |
KEY READ |
|
"KW" |
KEY WRITE |
|
"KX" |
KEY EXECUTE |
Object Type and Inherited Object Type
Trustee The Trustee is the SID of the user or group being given access (or denied or audited). Instead of a SID, there are several commonly used acronyms for well-known SIDs. These are listed in the table below:
Value |
Description |
"AO" |
Account operators |
"RU" |
Alias to allow previous Windows 2000 |
"AN" |
Anonymous logon |
"AU" |
Authenticated users |
"BA" |
Built-in administrators |
"BG" |
Built-in guests |
"BO" |
Backup operators |
"BU" |
Built-in users |
"CA" |
Certificate server administrators |
"CG" |
Creator group |
"CO" |
Creator owner |
"DA" |
Domain administrators |
"DC" |
Domain computers |
"DD" |
Domain controllers |
"DG" |
Domain guests |
"DU" |
Domain users |
"EA" |
Enterprise administrators |
"ED" |
Enterprise domain controllers |
"WD" |
Everyone |
"PA" |
Group Policy administrators |
"IU" |
Interactively logged-on user |
"LA" |
Local administrator |
"LG" |
Local guest |
"LS" |
Local service account |
"SY" |
Local system |
"NU" |
Network logon user |
"NO" |
Network configuration operators |
"NS" |
Network service account |
"PO" |
Printer operators |
"PS" |
Personal self |
"PU" |
Power users |
"RS" |
RAS servers group |
"RD" |
Terminal server users |
"RE" |
Replicator |
"RC" |
Restricted code |
"SA" |
Schema administrators |
"SO" |
Server operators |
"SU" |
Service logon user |
I hope you have found this entertaining and informative!
- Jim Tierney
The ObjectType is a GUID that Identifies a type of child object, a property or property set or an extended right. If present it limits the ACE to the object the GUID represents. For a more verbose explanation of this please visit the following link -
Inherited Object Type contains a GUID that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the ACE's Inheritance Flags and by any protection against inheritance placed on the child object in its Security Descriptor Control Flags.