explain_sd
Use the explain_sd
command to specify a security descriptor (SD) in security descriptor description language (SDDL) form and returns a human-readable form of the security descriptor.
Zone type
Not applicable
Syntax
explain_sd sddl_string
Abbreviation
None.
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument | Type | Description |
sddl_string |
string |
Required. Specifies a security descriptor in SDDL format. |
Return value
This command returns text that describes the supplied security descriptor in human‑readable form.
Examples
explain_sd O:DAG:DAD:AI(A;;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;SY)(A;;RCWDWOCCDCLCSWRPWPLOCR;;;DA) (OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO) (OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RCLCRPLO;;;AU)(OA;;CCDC;4828cc14-1437-45bc- 9b07-ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07- ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED) (OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED) (OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED) (OA;CIIOID;RCLCRPLO;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RCLCRPLO;;bf967a9c- 0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RCLCRPLO;;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;EA) (A;CIID;LC;;;RU)(A;CIID;SDRCWDWOCCLCSWRPWPLOCR;;;BA)
This example returns the security descriptor information in readable form:
Owner: Domain Admins Group: Domain Admins Dacl: inherit supported, Allow | | delete,read SD,write DACL,change owner,create child,delete child,list children,self write,read property,write property,delete tree,list object,control access, | | | System Allow | | read SD,write DACL,change owner,create child,delete child,list children,self write,read property,write property,list object,control access, | | | Domain Admins Allow | | create child,delete child, | User | | Account operators Allow | | create child,delete child, | Group | | Account operators Allow | | create child,delete child, | Print-Queue | | Print operators Allow | | read SD,list children,read property,list object, | | | Authenticated users Allow | | create child,delete child, | inetOrgPerson | | Account operators Allow | inherit,inherit ony,inherited, | read property, | User-Account-Restrictions | inetOrgPerson | pre win2k Allow | inherit,inherit ony,inherited, | read property, | User-Account-Restrictions | User | pre win2k Allow | inherit,inherit ony,inherited, | read property, | User-Logon | inetOrgPerson | pre win2k Allow | inherit,inherit ony,inherited, | read property, | User-Logon | User | pre win2k Allow | inherit,inherit ony,inherited, | read property, | Membership | inetOrgPerson | pre win2k Allow | inherit,inherit ony,inherited, | read property, | Membership | User | pre win2k Allow | inherit,inherit ony,inherited, | read property, | General-Information | inetOrgPerson | pre win2k Allow | inherit,inherit ony,inherited, | read property, | General-Information | User | pre win2k Allow | inherit,inherit ony,inherited, | read property, | RAS-Information | inetOrgPerson | pre win2k Allow | inherit,inherit ony,inherited, | read property, | RAS-Information | User | pre win2k Allow | inherit,inherit ony,inherited, | read property, | Token-Groups | Computer | Enterprise Domain Controllers Allow | inherit,inherit ony,inherited, | read property, | Token-Groups | Group | Enterprise Domain Controllers Allow | inherit,inherit ony,inherited, | read property, | Token-Groups | User | Enterprise Domain Controllers Allow | inherit,inherit ony,inherited, | read SD,list children,read property,list object, | | inetOrgPerson | pre win2k Allow | inherit,inherit ony,inherited, | read SD,list children,read property,list object, | | Group | pre win2k Allow | inherit,inherit ony,inherited, | read SD,list children,read property,list object, | | User | pre win2k Allow | inherit,inherited, | read property,write property,control access, | Private-Information | | Self Allow | inherit,inherited, | delete,read SD,write DACL,change owner,create child,delete child,list children,self write,read property,write property,delete tree,list object,control access, | | | Enterprise Admins Allow | inherit,inherited, | list children, | | | pre win2k Allow | inherit,inherited, | delete,read SD,write DACL,change owner,create child,list children,self write,read property,write property,list object,control access, | | | Administrators
Related commands
The following commands enable you to work with security descriptor strings:
- remove_sd_ace removes an access control entry (ACE) from a security descriptor.
- add_sd_ace adds an access control entry to a security descriptor.
- set_sd_owner sets the owner of a security descriptor.