Security Descriptor String Format | ||
ConvertStringSecurityDescriptorToSecurityDescriptor | ||
O:owner_sid | ||
G:group_sid | ||
D:dacl_flags(string_ace1)(string_ace2)... (string_acen) | ||
S:sacl_flags(string_ace1)(string_ace2)... (string_acen) | ||
Control | Constant in Sddl.h | Meaning |
"P" | SDDL_PROTECTED | The SE_DACL_PROTECTED flag is set. |
"AR" | SDDL_AUTO_INHERIT_REQ | The SE_DACL_AUTO_INHERIT_REQ flag is set. |
"AI" | SDDL_AUTO_INHERITED | The SE_DACL_AUTO_INHERITED flag is set. |
"NO_ACCESS_CONTROL" | SSDL_NULL_ACL | The ACL is null. |
ACE Strings | ||
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute) | ||
ACE type string | Constant in Sddl.h | AceType value |
"A" | SDDL_ACCESS_ALLOWED | ACCESS_ALLOWED_ACE_TYPE |
"D" | SDDL_ACCESS_DENIED | ACCESS_DENIED_ACE_TYPE |
"OA" | SDDL_OBJECT_ACCESS_ALLOWED | ACCESS_ALLOWED_OBJECT_ACE_TYPE |
"OD" | SDDL_OBJECT_ACCESS_DENIED | ACCESS_DENIED_OBJECT_ACE_TYPE |
"AU" | SDDL_AUDIT | SYSTEM_AUDIT_ACE_TYPE |
"AL" | SDDL_ALARM | SYSTEM_ALARM_ACE_TYPE |
"OU" | SDDL_OBJECT_AUDIT | SYSTEM_AUDIT_OBJECT_ACE_TYPE |
"OL" | SDDL_OBJECT_ALARM | SYSTEM_ALARM_OBJECT_ACE_TYPE |
"ML" | SDDL_MANDATORY_LABEL | SYSTEM_MANDATORY_LABEL_ACE_TYPE |
"XA" | SDDL_CALLBACK_ACCESS_ALLOWED | ACCESS_ALLOWED_CALLBACK_ACE_TYPEWindows Vista and Windows Server 2003: Not available. |
"XD" | SDDL_CALLBACK_ACCESS_DENIED | ACCESS_DENIED_CALLBACK_ACE_TYPEWindows Vista and Windows Server 2003: Not available. |
"RA" | SDDL_RESOURCE_ATTRIBUTE | SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPEWindows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003: Not available. |
"SP" | SDDL_SCOPED_POLICY_ID | SYSTEM_SCOPED_POLICY_ID_ACE_TYPEWindows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003: Not available. |
"XU" | SDDL_CALLBACK_AUDIT | SYSTEM_AUDIT_CALLBACK_ACE_TYPEWindows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003: Not available. |
"ZA" | SDDL_CALLBACK_OBJECT_ACCESS_ALLOWED | ACCESS_ALLOWED_CALLBACK_ACE_TYPEWindows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003: Not available. |
ACE flags string | Constant in Sddl.h | AceFlag value |
"CI" | SDDL_CONTAINER_INHERIT | CONTAINER_INHERIT_ACE |
"OI" | SDDL_OBJECT_INHERIT | OBJECT_INHERIT_ACE |
"NP" | SDDL_NO_PROPAGATE | NO_PROPAGATE_INHERIT_ACE |
"IO" | SDDL_INHERIT_ONLY | INHERIT_ONLY_ACE |
"ID" | SDDL_INHERITED | INHERITED_ACE |
"SA" | SDDL_AUDIT_SUCCESS | SUCCESSFUL_ACCESS_ACE_FLAG |
"FA" | SDDL_AUDIT_FAILURE | FAILED_ACCESS_ACE_FLAG |
Access rights string | Constant in Sddl.h | Access right value |
Generic access rights | ||
"GA" | SDDL_GENERIC_ALL | GENERIC_ALL |
"GR" | SDDL_GENERIC_READ | GENERIC_READ |
"GW" | SDDL_GENERIC_WRITE | GENERIC_WRITE |
"GX" | SDDL_GENERIC_EXECUTE | GENERIC_EXECUTE |
Standard access rights | ||
"RC" | SDDL_READ_CONTROL | READ_CONTROL |
"SD" | SDDL_STANDARD_DELETE | DELETE |
"WD" | SDDL_WRITE_DAC | WRITE_DAC |
"WO" | SDDL_WRITE_OWNER | WRITE_OWNER |
Directory service object access rights | ||
"RP" | SDDL_READ_PROPERTY | ADS_RIGHT_DS_READ_PROP |
"WP" | SDDL_WRITE_PROPERTY | ADS_RIGHT_DS_WRITE_PROP |
"CC" | SDDL_CREATE_CHILD | ADS_RIGHT_DS_CREATE_CHILD |
"DC" | SDDL_DELETE_CHILD | ADS_RIGHT_DS_DELETE_CHILD |
"LC" | SDDL_LIST_CHILDREN | ADS_RIGHT_ACTRL_DS_LIST |
"SW" | SDDL_SELF_WRITE | ADS_RIGHT_DS_SELF |
"LO" | SDDL_LIST_OBJECT | ADS_RIGHT_DS_LIST_OBJECT |
"DT" | SDDL_DELETE_TREE | ADS_RIGHT_DS_DELETE_TREE |
"CR" | SDDL_CONTROL_ACCESS | ADS_RIGHT_DS_CONTROL_ACCESS |
File access rights | ||
"FA" | SDDL_FILE_ALL | FILE_ALL_ACCESS |
"FR" | SDDL_FILE_READ | FILE_GENERIC_READ |
"FW" | SDDL_FILE_WRITE | FILE_GENERIC_WRITE |
"FX" | SDDL_FILE_EXECUTE | FILE_GENERIC_EXECUTE |
Registry key access rights | ||
"KA" | SDDL_KEY_ALL | KEY_ALL_ACCESS |
"KR" | SDDL_KEY_READ | KEY_READ |
"KW" | SDDL_KEY_WRITE | KEY_WRITE |
"KX" | SDDL_KEY_EXECUTE | KEY_EXECUTE |
Mandatory label rights | ||
"NR" | SDDL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_READ_UP |
"NW" | SDDL_NO_WRITE_UP | SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
"NX" | SDDL_NO_EXECUTE_UP | SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP |
resource_attribute | ||
"TI" | SDDL_INT | Signed integer |
"TU" | SDDL_UINT | Unsigned integer |
"TS" | SDDL_WSTRING | Wide string |
"TD" | SDDL_SID | SID |
"TX" | SDDL_BLOB | Octet string |
"TB" | SDDL_BOOLEAN | Boolean |
SID string | Constant in Sddl.h | Account alias and corresponding RID |
"AN" | SDDL_ANONYMOUS | Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID. |
"AO" | SDDL_ACCOUNT_OPERATORS | Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS. |
"AU" | SDDL_AUTHENTICATED_USERS | Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID. |
"BA" | SDDL_BUILTIN_ADMINISTRATORS | Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS. |
"BG" | SDDL_BUILTIN_GUESTS | Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS. |
"BO" | SDDL_BACKUP_OPERATORS | Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS. |
"BU" | SDDL_BUILTIN_USERS | Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS. |
"CA" | SDDL_CERT_SERV_ADMINISTRATORS | Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS. |
"CD" | SDDL_CERTSVC_DCOM_ACCESS | Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP. |
"CG" | SDDL_CREATOR_GROUP | Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID. |
"CO" | SDDL_CREATOR_OWNER | Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID. |
"DA" | SDDL_DOMAIN_ADMINISTRATORS | Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS. |
"DC" | SDDL_DOMAIN_COMPUTERS | Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS. |
"DD" | SDDL_DOMAIN_DOMAIN_CONTROLLERS | Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS. |
"DG" | SDDL_DOMAIN_GUESTS | Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS. |
"DU" | SDDL_DOMAIN_USERS | Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS. |
"EA" | SDDL_ENTERPRISE_ADMINS | Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS. |
"ED" | SDDL_ENTERPRISE_DOMAIN_CONTROLLERS | Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID. |
"HI" | SDDL_ML_HIGH | High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID. |
"IU" | SDDL_INTERACTIVE | Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID. |
"LA" | SDDL_LOCAL_ADMIN | Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN. |
"LG" | SDDL_LOCAL_GUEST | Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST. |
"LS" | SDDL_LOCAL_SERVICE | Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID. |
"LW" | SDDL_ML_LOW | Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID. |
"ME" | SDDL_MLMEDIUM | Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID. |
"MU" | SDDL_PERFMON_USERS | Performance Monitor users. |
"NO" | SDDL_NETWORK_CONFIGURATION_OPS | Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS. |
"NS" | SDDL_NETWORK_SERVICE | Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID. |
"NU" | SDDL_NETWORK | Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID. |
"PA" | SDDL_GROUP_POLICY_ADMINS | Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS. |
"PO" | SDDL_PRINTER_OPERATORS | Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS. |
"PS" | SDDL_PERSONAL_SELF | Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID. |
"PU" | SDDL_POWER_USERS | Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS. |
"RC" | SDDL_RESTRICTED_CODE | Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID. |
"RD" | SDDL_REMOTE_DESKTOP | Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS. |
"RE" | SDDL_REPLICATOR | Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR. |
"RO" | SDDL_ENTERPRISE_RO_DCs | Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS. |
"RS" | SDDL_RAS_SERVERS | RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS. |
"RU" | SDDL_ALIAS_PREW2KCOMPACC | Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS. |
"SA" | SDDL_SCHEMA_ADMINISTRATORS | Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS. |
"SI" | SDDL_ML_SYSTEM | System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID. |
"SO" | SDDL_SERVER_OPERATORS | Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS. |
"SU" | SDDL_SERVICE | Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID. |
"SY" | SDDL_LOCAL_SYSTEM | Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID. |
"WD" | SDDL_EVERYONE | Everyone. The corresponding RID is SECURITY_WORLD_RID. |
ConvertStringSecurityDescriptorToSecurityDescriptor
最新推荐文章于 2021-08-22 19:16:58 发布