explain_sd
Use the explain_sd command to specify a security descriptor (SD) in security descriptor description language (SDDL) form and returns a human-readable form of the security descriptor.
Zone Type
Not applicable
Syntax
explain_sd sddl_string
Abbreviation
None.
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|---|---|---|
| sddl_string | string | Required. Specifies a security descriptor in SDDL format. |
Return Value
This command returns text that describes the supplied security descriptor in humanreadable form.
Examples
Copy
explain_sd O:DAG:DAD:AI(A;;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;SY)(A;;RCWDWOCCDCLCSWRPWPLOCR;;;DA)
(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)
(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RCLCRPLO;;;AU)(OA;;CCDC;4828cc14-1437-45bc-
9b07-ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-
ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RCLCRPLO;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RCLCRPLO;;bf967a9c-
0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RCLCRPLO;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;EA)
(A;CIID;LC;;;RU)(A;CIID;SDRCWDWOCCLCSWRPWPLOCR;;;BA)
This example returns the security descriptor information in readable form:
Copy
Owner: Domain Admins
Group: Domain Admins
Dacl: inherit supported,
Allow | | delete,read SD,write DACL,change owner,create child,delete child,list children,self write,read property,write property,delete tree,list object,control access, | | | System
Allow | | read SD,write DACL,change owner,create child,delete child,list children,self write,read property,write property,list object,control access, | | | Domain Admins
Allow | | create child,delete child, | User | | Account operators
Allow | | create child,delete child, | Group | | Account operators
Allow | | create child,delete child, | Print-Queue | | Print operators
Allow | | read SD,list children,read property,list object, | | | Authenticated users
Allow | | create child,delete child, | inetOrgPerson | | Account operators
Allow | inherit,inherit ony,inherited, | read property, | User-Account-Restrictions | inetOrgPerson | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | User-Account-Restrictions | User | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | User-Logon | inetOrgPerson | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | User-Logon | User | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | Membership | inetOrgPerson | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | Membership | User | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | General-Information | inetOrgPerson | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | General-Information | User | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | RAS-Information | inetOrgPerson | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | RAS-Information | User | pre win2k
Allow | inherit,inherit ony,inherited, | read property, | Token-Groups | Computer | Enterprise Domain Controllers
Allow | inherit,inherit ony,inherited, | read property, | Token-Groups | Group | Enterprise Domain Controllers
Allow | inherit,inherit ony,inherited, | read property, | Token-Groups | User | Enterprise Domain Controllers
Allow | inherit,inherit ony,inherited, | read SD,list children,read property,list object, | | inetOrgPerson | pre win2k
Allow | inherit,inherit ony,inherited, | read SD,list children,read property,list object, | | Group | pre win2k
Allow | inherit,inherit ony,inherited, | read SD,list children,read property,list object, | | User | pre win2k
Allow | inherit,inherited, | read property,write property,control access, | Private-Information | | Self
Allow | inherit,inherited, | delete,read SD,write DACL,change owner,create child,delete child,list children,self write,read property,write property,delete tree,list object,control access, | | | Enterprise Admins
Allow | inherit,inherited, | list children, | | | pre win2k
Allow | inherit,inherited, | delete,read SD,write DACL,change owner,create child,list children,self write,read property,write property,list object,control access, | | | Administrators
Related Commands
The following commands enable you to work with security descriptor strings:
remove_sd_aceremoves an access control entry (ACE) from a security descriptor.add_sd_aceadds an access control entry to a security descriptor.set_sd_ownersets the owner of a security descriptor.
