ConvertStringSecurityDescriptorToSecurityDescriptor

Security Descriptor String Format
ConvertStringSecurityDescriptorToSecurityDescriptor
O:owner_sid
G:group_sid
D:dacl_flags(string_ace1)(string_ace2)... (string_acen)
S:sacl_flags(string_ace1)(string_ace2)... (string_acen)
Control	Constant in Sddl.h	Meaning
"P"	SDDL_PROTECTED	The SE_DACL_PROTECTED flag is set.
"AR"	SDDL_AUTO_INHERIT_REQ	The SE_DACL_AUTO_INHERIT_REQ flag is set.
"AI"	SDDL_AUTO_INHERITED	The SE_DACL_AUTO_INHERITED flag is set.
"NO_ACCESS_CONTROL"	SSDL_NULL_ACL	The ACL is null.
ACE Strings
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute)
ACE type string	Constant in Sddl.h	AceType value
"A"	SDDL_ACCESS_ALLOWED	ACCESS_ALLOWED_ACE_TYPE
"D"	SDDL_ACCESS_DENIED	ACCESS_DENIED_ACE_TYPE
"OA"	SDDL_OBJECT_ACCESS_ALLOWED	ACCESS_ALLOWED_OBJECT_ACE_TYPE
"OD"	SDDL_OBJECT_ACCESS_DENIED	ACCESS_DENIED_OBJECT_ACE_TYPE
"AU"	SDDL_AUDIT	SYSTEM_AUDIT_ACE_TYPE
"AL"	SDDL_ALARM	SYSTEM_ALARM_ACE_TYPE
"OU"	SDDL_OBJECT_AUDIT	SYSTEM_AUDIT_OBJECT_ACE_TYPE
"OL"	SDDL_OBJECT_ALARM	SYSTEM_ALARM_OBJECT_ACE_TYPE
"ML"	SDDL_MANDATORY_LABEL	SYSTEM_MANDATORY_LABEL_ACE_TYPE
"XA"	SDDL_CALLBACK_ACCESS_ALLOWED	ACCESS_ALLOWED_CALLBACK_ACE_TYPEWindows Vista and Windows Server 2003:  Not available.
"XD"	SDDL_CALLBACK_ACCESS_DENIED	ACCESS_DENIED_CALLBACK_ACE_TYPEWindows Vista and Windows Server 2003:  Not available.
"RA"	SDDL_RESOURCE_ATTRIBUTE	SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPEWindows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003:  Not available.
"SP"	SDDL_SCOPED_POLICY_ID	SYSTEM_SCOPED_POLICY_ID_ACE_TYPEWindows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003:  Not available.
"XU"	SDDL_CALLBACK_AUDIT	SYSTEM_AUDIT_CALLBACK_ACE_TYPEWindows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003:  Not available.
"ZA"	SDDL_CALLBACK_OBJECT_ACCESS_ALLOWED	ACCESS_ALLOWED_CALLBACK_ACE_TYPEWindows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003:  Not available.
ACE flags string	Constant in Sddl.h	AceFlag value
"CI"	SDDL_CONTAINER_INHERIT	CONTAINER_INHERIT_ACE
"OI"	SDDL_OBJECT_INHERIT	OBJECT_INHERIT_ACE
"NP"	SDDL_NO_PROPAGATE	NO_PROPAGATE_INHERIT_ACE
"IO"	SDDL_INHERIT_ONLY	INHERIT_ONLY_ACE
"ID"	SDDL_INHERITED	INHERITED_ACE
"SA"	SDDL_AUDIT_SUCCESS	SUCCESSFUL_ACCESS_ACE_FLAG
"FA"	SDDL_AUDIT_FAILURE	FAILED_ACCESS_ACE_FLAG
Access rights string	Constant in Sddl.h	Access right value
Generic access rights
"GA"	SDDL_GENERIC_ALL	GENERIC_ALL
"GR"	SDDL_GENERIC_READ	GENERIC_READ
"GW"	SDDL_GENERIC_WRITE	GENERIC_WRITE
"GX"	SDDL_GENERIC_EXECUTE	GENERIC_EXECUTE
Standard access rights
"RC"	SDDL_READ_CONTROL	READ_CONTROL
"SD"	SDDL_STANDARD_DELETE	DELETE
"WD"	SDDL_WRITE_DAC	WRITE_DAC
"WO"	SDDL_WRITE_OWNER	WRITE_OWNER
Directory service object access rights
"RP"	SDDL_READ_PROPERTY	ADS_RIGHT_DS_READ_PROP
"WP"	SDDL_WRITE_PROPERTY	ADS_RIGHT_DS_WRITE_PROP
"CC"	SDDL_CREATE_CHILD	ADS_RIGHT_DS_CREATE_CHILD
"DC"	SDDL_DELETE_CHILD	ADS_RIGHT_DS_DELETE_CHILD
"LC"	SDDL_LIST_CHILDREN	ADS_RIGHT_ACTRL_DS_LIST
"SW"	SDDL_SELF_WRITE	ADS_RIGHT_DS_SELF
"LO"	SDDL_LIST_OBJECT	ADS_RIGHT_DS_LIST_OBJECT
"DT"	SDDL_DELETE_TREE	ADS_RIGHT_DS_DELETE_TREE
"CR"	SDDL_CONTROL_ACCESS	ADS_RIGHT_DS_CONTROL_ACCESS
File access rights
"FA"	SDDL_FILE_ALL	FILE_ALL_ACCESS
"FR"	SDDL_FILE_READ	FILE_GENERIC_READ
"FW"	SDDL_FILE_WRITE	FILE_GENERIC_WRITE
"FX"	SDDL_FILE_EXECUTE	FILE_GENERIC_EXECUTE
Registry key access rights
"KA"	SDDL_KEY_ALL	KEY_ALL_ACCESS
"KR"	SDDL_KEY_READ	KEY_READ
"KW"	SDDL_KEY_WRITE	KEY_WRITE
"KX"	SDDL_KEY_EXECUTE	KEY_EXECUTE
Mandatory label rights
"NR"	SDDL_NO_READ_UP	SYSTEM_MANDATORY_LABEL_NO_READ_UP
"NW"	SDDL_NO_WRITE_UP	SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
"NX"	SDDL_NO_EXECUTE_UP	SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
resource_attribute
"TI"	SDDL_INT	Signed integer
"TU"	SDDL_UINT	Unsigned integer
"TS"	SDDL_WSTRING	Wide string
"TD"	SDDL_SID	SID
"TX"	SDDL_BLOB	Octet string
"TB"	SDDL_BOOLEAN	Boolean
SID string	Constant in Sddl.h	Account alias and corresponding RID
"AN"	SDDL_ANONYMOUS	Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID.
"AO"	SDDL_ACCOUNT_OPERATORS	Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS.
"AU"	SDDL_AUTHENTICATED_USERS	Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID.
"BA"	SDDL_BUILTIN_ADMINISTRATORS	Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS.
"BG"	SDDL_BUILTIN_GUESTS	Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS.
"BO"	SDDL_BACKUP_OPERATORS	Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS.
"BU"	SDDL_BUILTIN_USERS	Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS.
"CA"	SDDL_CERT_SERV_ADMINISTRATORS	Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS.
"CD"	SDDL_CERTSVC_DCOM_ACCESS	Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP.
"CG"	SDDL_CREATOR_GROUP	Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID.
"CO"	SDDL_CREATOR_OWNER	Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID.
"DA"	SDDL_DOMAIN_ADMINISTRATORS	Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS.
"DC"	SDDL_DOMAIN_COMPUTERS	Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS.
"DD"	SDDL_DOMAIN_DOMAIN_CONTROLLERS	Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS.
"DG"	SDDL_DOMAIN_GUESTS	Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS.
"DU"	SDDL_DOMAIN_USERS	Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS.
"EA"	SDDL_ENTERPRISE_ADMINS	Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS.
"ED"	SDDL_ENTERPRISE_DOMAIN_CONTROLLERS	Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID.
"HI"	SDDL_ML_HIGH	High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID.
"IU"	SDDL_INTERACTIVE	Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID.
"LA"	SDDL_LOCAL_ADMIN	Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN.
"LG"	SDDL_LOCAL_GUEST	Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST.
"LS"	SDDL_LOCAL_SERVICE	Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID.
"LW"	SDDL_ML_LOW	Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID.
"ME"	SDDL_MLMEDIUM	Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID.
"MU"	SDDL_PERFMON_USERS	Performance Monitor users.
"NO"	SDDL_NETWORK_CONFIGURATION_OPS	Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS.
"NS"	SDDL_NETWORK_SERVICE	Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID.
"NU"	SDDL_NETWORK	Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID.
"PA"	SDDL_GROUP_POLICY_ADMINS	Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS.
"PO"	SDDL_PRINTER_OPERATORS	Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS.
"PS"	SDDL_PERSONAL_SELF	Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID.
"PU"	SDDL_POWER_USERS	Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS.
"RC"	SDDL_RESTRICTED_CODE	Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID.
"RD"	SDDL_REMOTE_DESKTOP	Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS.
"RE"	SDDL_REPLICATOR	Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR.
"RO"	SDDL_ENTERPRISE_RO_DCs	Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS.
"RS"	SDDL_RAS_SERVERS	RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS.
"RU"	SDDL_ALIAS_PREW2KCOMPACC	Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS.
"SA"	SDDL_SCHEMA_ADMINISTRATORS	Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS.
"SI"	SDDL_ML_SYSTEM	System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID.
"SO"	SDDL_SERVER_OPERATORS	Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS.
"SU"	SDDL_SERVICE	Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID.
"SY"	SDDL_LOCAL_SYSTEM	Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.
"WD"	SDDL_EVERYONE	Everyone. The corresponding RID is SECURITY_WORLD_RID.