Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
2.5.1.4 SDDL String to Binary Security Descriptor Examples

2.5.1.4 SDDL String to Binary Security Descriptor Examples

The following SDDL string: "O:BAG:BAD:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)S:P(AU;FA;GR;;;WD)"

yields the following, which is an encoded output of the security descriptor in self-relative form ordered as little-endian.

  
 00000000  01 00 14 b0 90 00 00 00 a0 00 00 00 14 00 00 00  ................
 00000010  30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00  0...............
 00000020  00 00 00 80 01 01 00 00 00 00 00 01 00 00 00 00  ................
 00000030  02 00 60 00 04 00 00 00 00 03 18 00 00 00 00 a0  ..'.............
 00000040  01 02 00 00 00 00 00 05 20 00 00 00 21 02 00 00  ........ ...!...
 00000050  00 03 18 00 00 00 00 10 01 02 00 00 00 00 00 05  ................
 00000060  20 00 00 00 20 02 00 00 00 03 14 00 00 00 00 10   ... ...........
 00000070  01 01 00 00 00 00 00 05 12 00 00 00 00 03 14 00  ................
 00000080  00 00 00 10 01 01 00 00 00 00 00 03 00 00 00 00  ................
 00000090  01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00  ........ ... ...
 000000a0  01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00  ........ ... ...
  

The SECURITY_DESCRIPTOR starts with the SD revision number (1 byte long) at address 0x00, followed by reserved bits and the SD control flags (2 bytes long). As mentioned previously, this is followed by owner, group, SACL, and DACL offsets.

 01 00 14 b0 90 00 00 00 a0 00 00 00 14 00 00 00 
  
  

MS-DTYP_pictf5b80f8f-6898-d914-1e80-4afd26aa5253.png

Figure 6: Security descriptor field offsets example

Control Flags

Control flags for the DACL are represented as a bitmask, and the resultant set of flags is computed by a logical OR of the flags. In this example, the control flag value is set to the following.

 1011000000010100
  
  

This control flag value maps to the meaning that is shown in the following table.

BIT

Meaning

0

OD: Owner defaulted

0

GD: Group defaulted

1

DP: DACL present

0

DD: DACL defaulted

1

SP: SACL present

0

SD: SACL defaulted

0

SS: Server Security

0

DT: DACL Trusted

0

DR: DACL Inheritance Required

0

SR: Inheritance Required

0

DI: DACL auto-inherited

0

SI: SACL auto-inherited

1

PD: DACL-protected

1

PS: SACL-protected

0

RM: Control Valid

1

SR: Self-Relative

SACL

The control flags are followed by the SACL, which in this example is "S:P(AU;FA;GR;;;WD)"

DACL

The SACL is followed by the SECURITY_DESCRIPTOR DACL, which in this example is:

 (A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)
  
  

Note The string representation for the DACL (D:) and the DACL control flags are consumed not as part of the DACL structure in the SD, but instead as the security descriptor control flags. The same applies for SACL.

MS-DTYP_picteab7d1e3-58ff-1975-79f1-d017b583f69b.png

Figure 7: Security access control list data example

The ACL can be further dissected into the ACL header and the individual ACEs. For more information, see section 2.4.5.

ACL HEADER

 02 00 60 00 04 00 00 00
 AclRevision (1 byte): 0x02
 Reserved            : 0x00
 AclSize             : 0x0060
 AceCount            : 0x0004
 Reserved            : 0x0000
  

ACE Structure

This is followed by the ACES in the ACL. For more information about the ACE structure, see section 2.4.4.1.

In this example, there are four ACEs for the DACL.

 (A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)
  

First, look at the first access control entry (ACE) as an example. "(A;CIOI;GRGX;;;BU)" maps to the following in the binary structure (in little-endian order).

  
 00 03 18 00 00 00 00 a0 01 02 00 00 00 00 00 05-20 00 00 00 21 02 00 00
  

MS-DTYP_pict1ea45e8c-1998-b861-1275-d4c509190cda.png

Figure 8: ACE field offsets

Owner

The owner begins at offset 0x90. In this example, owner is set to "BA" (Built-in Admin).

MS-DTYP_pict1b9baf35-a035-eba4-e2d2-b6bece7026fa.png

Figure 9: ACE owner field offsets example

Group

The group begins at offset 0xA0. In this example, group is set to "BA" (Built-in Admin).

MS-DTYP_pict9946723e-aa9b-1152-c1dd-6c527e1fa2fd.png

Figure 10: ACE group field offsets example

Show:
© 2015 Microsoft