Information:
This is a quick primer of how to read a SDDL string. After reading this summary please use the links to obtain more detailed information on the SDDL formats. Most of this information is taken directly from the Microsoft link provided.
See Security Descriptor String Format in the Microsoft MSDN for more detailed information.
http://msdn2.microsoft.com/en-us/library/aa379570.aspx
The following is an example SDDL string taken from the Security Event Log CustomSD registry key.
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)
To better view the various parts try this visual break down of the string.
O:BA G:SY D:(D;;0xf0007;;;AN) (D;;0xf0007;;;BG) (A;;0xf0005;;;SY) (A;;0x5;;;BA)
Using this visual break down you can better see the parts of the string. While this example only contains 3 parts (O, G, & D) there can be 4 parts.
4 Main Parts Format
This section shows the string headers (O, G, D, S) and the type of string that is to follow (SID or ACE). See the respective SID or ACE String section for further information on these strings.
O: SID string
G: SID string
D: ACE String
S: ACE String (optional)
4 Main Parts of the SDDL Explained
O: = Owner
G: = Group
D: = DACL (Discretionary Access Control List)
S: = SACL (Security Access Control List) (optional)
SID String Chart
See the following in the Microsoft MSDN
http://msdn2.microsoft.com/en-us/library/aa379602.aspx
Common SID Strings
SID String Account alias
"AN" Anonymous logon.
"AU" Authenticated users.
"BA" Built-in administrators.
"BG" Built-in guests.
"BU" Built-in users.
“CO” Creator Owner
"DA" Domain administrators.
"DG" Domain guests.
"DU" Domain users
"EA" Enterprise administrators
"WD" Everyone
"IU" Interactively logged-on user.
"LA" Local administrator.
"LG" Local guest.
"LS" Local service account.
"SY" Local system
"NU" Network logon user
"NS" Network service account
"PU" Power users
"RD" Terminal server users (Remote Desktop)
ACE String Format
See the following in the Microsoft MSDN
http://msdn2.microsoft.com/en-us/library/aa374928.aspx
Basic Format
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
ace_type
A string that indicates the value of the AceType member of the ACE_HEADER structure.
Common ACE_Type Strings
ACE Description
"A" SDDL Access Allowed
"D" SDDL Access Denied
ace_flags
A string that indicates the value of the AceFlags member of the ACE_HEADER structure. The ACE flags string can be a concatenation of the following strings defined in Sddl.h. ACE flags string Constant in Sddl.h AceFlag value
"IO" SDDL_INHERIT_ONLY
"ID" SDDL_INHERITED
Rights
A string that indicates the access rights controlled by the ACE. This string can be a hexadecimal string representation of the access rights, such as "0x7800003F", or it can be a concatenation of the following strings.
These values can be found in WinNT.h from the Platform SDK.
String Constant Value Binary Bit (counting from 0)
Standard access rights
"SD" DELETE 0x10000 Bit 16
"RC" READ_CONTROL 0x20000 Bit 17
"WD" WRITE_DAC 0x40000 Bit 18
"WO" WRITE_OWNER 0x80000 Bit 19
Generic Access Rights
“GR” GENERIC_READ 0x80000000 Bit 31
“GW” GENERIC_WRITE 0x40000000 Bit 30
“GX” GENERIC_EXECUTE 0x20000000 Bit 29
“GA” GENERIC_ALL 0x10000000 Bit 28
Registry Key Access Rights
http://msdn2.microsoft.com/en-us/library/ms724878.aspx
KEY_ALL_ACCESS (0xF003F) Combines the STANDARD_RIGHTS_REQUIRED, KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, and KEY_CREATE_LINK access rights.
KEY_READ (0x20019) Combines the STANDARD_RIGHTS_READ, KEY_QUERY_VALUE, KEY_ENUMERATE_SUB_KEYS, and KEY_NOTIFY values.
KEY_WRITE (0x20006) Combines the STANDARD_RIGHTS_WRITE, KEY_SET_VALUE, and KEY_CREATE_SUB_KEY access rights.
KEY_EXECUTE (0x20019) Equivalent to KEY_READ.
Example of a Rights Combinations
0xf0007 Combines bits 0, 1, 2, 16, 17, 18, 19
More Information on Rights
All securable objects arrange their access rights by using the access mask format shown in the following illustration.
In this format, the low-order 16 bits are for object-specific access rights, the next 8 bits are for standard access rights, which apply to most types of objects, and the 4 high-order bits are used to specify generic access rights that each object type can map to a set of standard and object-specific rights. The ACCESS_SYSTEM_SECURITY bit corresponds to the right to access the object's SACL.
object_guid
A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE structure, such as ACCESS_ALLOWED_OBJECT_ACE. The GUID string uses the format returned by the UuidToString function.
The following table lists some commonly used object GUIDs.
Rights and GUID Permission
CR;ab721a53-1e2f-11d0-9819-00aa0040529b Change password
CR;00299570-246d-11d0-a768-00aa006e0529 Reset password
inherit_object_guid
A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-specific ACE structure. The GUID string uses the UuidToString format.
account_sid
SID String that identifies the trustee of the ACE. See the see SID String Chart above for more information
Summary
O:BA G:SY D:(D;;0xf0007;;;AN) (D;;0xf0007;;;BG) (A;;0xf0005;;;SY) (A;;0x5;;;BA)
Owner = Built-in Administrators
Group = Local System
ACLS
Deny: Anonymous
Deny: Built-in Guests
Allow: Local System
Allow: Built-in Administrators