explain_sd

Use the explain_sd command to specify a security descriptor (SD) in security descriptor description language (SDDL) form and returns a human-readable form of the security descriptor.

Zone type

Not applicable

Syntax

explain_sd sddl_string

Abbreviation

None.

Options

This command takes no options.

Arguments

This command takes the following argument:

Argument Type Description

sddl_string

string

Required. Specifies a security descriptor in SDDL format.

Return value

This command returns text that describes the supplied security descriptor in human‑readable form.

Examples

explain_sd O:DAG:DAD:AI(A;;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;SY)(A;;RCWDWOCCDCLCSWRPWPLOCR;;;DA)
(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)
(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RCLCRPLO;;;AU)(OA;;CCDC;4828cc14-1437-45bc-
9b07-ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-
ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RCLCRPLO;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RCLCRPLO;;bf967a9c-
0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RCLCRPLO;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;EA)
(A;CIID;LC;;;RU)(A;CIID;SDRCWDWOCCLCSWRPWPLOCR;;;BA)

This example returns the security descriptor information in readable form:

Owner: Domain Admins
Group: Domain Admins
Dacl: inherit supported,
 Allow |  | delete,read SD,write DACL,change owner,create child,delete child,list children,self write,read property,write property,delete tree,list object,control access, |  |  | System
 Allow |  | read SD,write DACL,change owner,create child,delete child,list children,self write,read property,write property,list object,control access, |  |  | Domain Admins
 Allow |  | create child,delete child, | User |  | Account operators
 Allow |  | create child,delete child, | Group |  | Account operators
 Allow |  | create child,delete child, | Print-Queue |  | Print operators
 Allow |  | read SD,list children,read property,list object, |  |  | Authenticated users
 Allow |  | create child,delete child, | inetOrgPerson |  | Account operators
 Allow | inherit,inherit ony,inherited, | read property, | User-Account-Restrictions | inetOrgPerson | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | User-Account-Restrictions | User | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | User-Logon | inetOrgPerson | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | User-Logon | User | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | Membership | inetOrgPerson | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | Membership | User | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | General-Information | inetOrgPerson | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | General-Information | User | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | RAS-Information | inetOrgPerson | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | RAS-Information | User | pre win2k
 Allow | inherit,inherit ony,inherited, | read property, | Token-Groups | Computer | Enterprise Domain Controllers
 Allow | inherit,inherit ony,inherited, | read property, | Token-Groups | Group | Enterprise Domain Controllers
 Allow | inherit,inherit ony,inherited, | read property, | Token-Groups | User | Enterprise Domain Controllers
 Allow | inherit,inherit ony,inherited, | read SD,list children,read property,list object, |  | inetOrgPerson | pre win2k
 Allow | inherit,inherit ony,inherited, | read SD,list children,read property,list object, |  | Group | pre win2k
 Allow | inherit,inherit ony,inherited, | read SD,list children,read property,list object, |  | User | pre win2k
 Allow | inherit,inherited, | read property,write property,control access, | Private-Information |  | Self
 Allow | inherit,inherited, | delete,read SD,write DACL,change owner,create child,delete child,list children,self write,read property,write property,delete tree,list object,control access, |  |  | Enterprise Admins
 Allow | inherit,inherited, | list children, |  |  | pre win2k
 Allow | inherit,inherited, | delete,read SD,write DACL,change owner,create child,list children,self write,read property,write property,list object,control access, |  |  | Administrators

Related commands

The following commands enable you to work with security descriptor strings:

  • remove_sd_ace removes an access control entry (ACE) from a security descriptor.
  • add_sd_ace adds an access control entry to a security descriptor.
  • set_sd_owner sets the owner of a security descriptor.