Security Descriptor String Format
The Security Descriptor String Format is a text format for storing or transporting information in a security descriptor. The ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor functions use this format.
The format is a null-terminated string with tokens to indicate each of the four main components of a security descriptor: owner (O:), primary group (G:), DACL (D:), and SACL (S:).
Note
Access control entries (ACEs) and conditional ACEs have differing formats. For ACEs, see ACE Strings. For conditional ACEs, see Security Descriptor Definition Language for Conditional ACEs.
O:owner_sid
G:group_sid
D:dacl_flags(string_ace1)(string_ace2)... (string_acen)
S:sacl_flags(string_ace1)(string_ace2)... (string_acen)
-
owner_sid
-
A SID string that identifies the object's owner.
-
group_sid
-
A SID string that identifies the object's primary group.
-
dacl_flags
-
Security descriptor control flags that apply to the DACL. For a description of these control flags, see the SetSecurityDescriptorControl function. The dacl_flags string can be a concatenation of zero or more of the following strings.
Control Constant in Sddl.h Meaning "P" SDDL_PROTECTED The SE_DACL_PROTECTED flag is set. "AR" SDDL_AUTO_INHERIT_REQ The SE_DACL_AUTO_INHERIT_REQ flag is set. "AI" SDDL_AUTO_INHERITED The SE_DACL_AUTO_INHERITED flag is set. "NO_ACCESS_CONTROL" SDDL_NULL_ACL The ACL is null. Windows Server 2008, Windows Vista and Windows Server 2003: Not available. -
sacl_flags
-
Security descriptor control flags that apply to the SACL. The sacl_flags string uses the same control bit strings as the dacl_flags string.
-
string_ace
-
A string that describes an ACE in the security descriptor's DACL or SACL. For a description of the ACE string format, see ACE strings. Each ACE string is enclosed in parentheses (()).
Unneeded components can be omitted from the security descriptor string. For example, if the SE_DACL_PRESENT flag is not set in the input security descriptor, ConvertSecurityDescriptorToStringSecurityDescriptor does not include a D: component in the output string. You can also use the SECURITY_INFORMATION bit flags to indicate the components to include in a security descriptor string.
The security descriptor string format does not support NULL ACLs.
To denote an empty ACL, the security descriptor string includes the D: or S: token with no additional string information.
The security descriptor string stores the SECURITY DESCRIPTOR CONTROL bits in different ways. The SE_DACL_PRESENT or SE_SACL_PRESENT bits are indicated by the presence of the D: or S: token in the string. Other bits that apply to the DACL or SACL are stored in dacl_flags and sacl_flags. The SE_OWNER_DEFAULTED, SE_GROUP_DEFAULTED, SE_DACL_DEFAULTED, and SE_SACL_DEFAULTED bits are not stored in a security descriptor string. The SE_SELF_RELATIVE bit is not stored in the string, but ConvertStringSecurityDescriptorToSecurityDescriptor always sets this bit in the output security descriptor.
The following examples show security descriptor strings and the information in the associated security descriptors.
String 1:
"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
Security Descriptor 1:
Revision: 0x00000001
Control: 0x0004
SE_DACL_PRESENT
Owner: (S-1-5-32-548)
PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Others(0x0000003f)
Ace Sid : (S-1-0-0)
SACL
Not present
String 2:
"O:DAG:DAD:(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)
(A;;RPWPCCDCLCRCWOWDSDSW;;;DA)
(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)
(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)
(OA;;CCDC;6da8a4ff-0e52-11d0-a286-00aa003049e2;;AO)
(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
(A;;RPLCRC;;;AU)S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)"
Security Descriptor 2:
Revision: 0x00000001
Control: 0x0014
SE_DACL_PRESENT
SE_SACL_PRESENT
Owner: (S-1-5-21-397955417-626881126-188441444-512)
PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
Revision: 0x04
Size: 0x0104
AceCount: 0x0007
Ace[00]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x000f003f
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Others(0x0000003f)
Ace Sid: (S-1-5-18)
Ace[01]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0024
InheritFlags: 0x00
Access Mask: 0x000f003f
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Others(0x0000003f)
Ace Sid: (S-1-5-21-397955417-626881126-188441444-512)
Ace[02]
AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE)
AceSize: 0x002c
InheritFlags: 0x00
Access Mask: 0x00000003
Others(0x00000003)
Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT
ObjectType: GUID_C_USER
InhObjectType: GUID ptr is NULL
Ace Sid: (S-1-5-32-548)
Ace[03]
AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE)
AceSize: 0x002c
InheritFlags: 0x00
Access Mask: 0x00000003
Others(0x00000003)
Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT
ObjectType: GUID_C_GROUP
InhObjectType: GUID ptr is NULL
Ace Sid: (S-1-5-32-548)
Ace[04]
AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE)
AceSize: 0x002c
InheritFlags: 0x00
Access Mask: 0x00000003
Others(0x00000003)
Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT
ObjectType: GUID_C_LOCALGROUP
InhObjectType: GUID ptr is NULL
Ace Sid: (S-1-5-32-548)
Ace[05]
AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE)
AceSize: 0x002c
InheritFlags: 0x00
Access Mask: 0x00000003
Others(0x00000003)
Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT
ObjectType: GUID_C_PRINT_QUEUE
InhObjectType: GUID ptr is NULL
Ace Sid: (S-1-5-32-550)
Ace[06]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x00020014
READ_CONTROL
Others(0x00000014)
Ace Sid: (S-1-5-11)
SACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x02 (SYSTEM_AUDIT_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0xc0
SUCCESSFUL_ACCESS_ACE_FLAG
FAILED_ACCESS_ACE_FLAG
Access Mask: 0x000d002b
DELETE
WRITE_DAC
WRITE_OWNER
Others(0x0000002b)
Ace Sid: (S-1-1-0)
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for