15 out of 31 rated this helpful - Rate this topic

Security Descriptor Definition Language

The security descriptor definition language (SDDL) defines the string format that the ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor functions use to describe a security descriptor as a text string. The language also defines string elements for describing information in the components of a security descriptor.

Note Access control entries (ACEs) and conditional ACEs have differing formats. For ACEs, see ACE Strings. For conditional ACEs, see Security Descriptor Definition Language for Conditional ACEs.

Related topics

Security Descriptor String Format
Security Descriptor Definition Language for Conditional ACEs
ACE Strings
SID Strings

Send comments about this topic to Microsoft

Build date: 3/7/2012

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)

Community Content Add

FAQ

SDDL semantics will vary by context

Note: When an SDDL string is applied to a securable object the semantics will vary depending on the context. For example the high-level security APIs (SetNamedSecurityInfo, SetSecurityInfo) will apply the SDDL using cascade propagation while ignoring the AI and AR flags. However, if you round-trip using the low-level security APIs (e.g., GetFileSecurity/SetFileSecurity or RegGetKeySecurity/RegSetKeySecurity) the AI flag will be honored iff you include AR ("D:ARAI(A;OICI;FA;;;BU)").

History

12/2/2008
Gideon7

9/2/2011
Gideon7

Very Clear Explanation of SDDL

For more information and a great explanation on SDDL see:

http://blogs.dirteam.com/blogs/jorge/archive/2008/03/26/parsing-sddl-strings.aspx

History

1/1/2009
Jorge de Almeida Pinto [MVP-DS]

2/16/2010
mspriss77