i was counting my lucky stars that i never had to give any thought to deciphering SDDLs ( security descriptor definition language ). some people have written entire diatribes on the subject. for me, i just need a reference. hence, my posting... sddl is broken down into four parts: object primary group dacl sacl sddl string is easier to look at like this since there are no spaces or visible terminators other than the colon: o:[ sid_string ]g:[ sid_string ]d:[ dacl_flags ]( ace_string ) it's important to note the format of the ace string is broken down like this: [ace_type];[ace_flags];[rights];[object_guid];[inherit_object_guid];[account_sid] i created a file called text.txt in my c:\temp directory. in the GUI, it's expressed as this: Administrators - Full Control SYSTEM - Full Control Users - Read & Execute in sddl, it's expressed as: O:BAG:DUD:ARAI(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;BU)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;
notes, ramblings, contemplations, transmutations, and otherwise ... on management and directory miscellanea.