HI reuvygroovy,
"Still not clear how to intepret this string:"
There is answer:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x5;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x2;;;BA)(A;;0x2;;;LS)(A;;0x2;;;NS)
Entry meanings:
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: It's a discretionary access control list (DACL), rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access. (1=Read + 2=Write + 4=Clear) (First ACE string in this SDDL).
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear (1=Read + 4=Clear), including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE, and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE, and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
2.How do you break up each group (permission, user, etc.)?
The Security Descriptor Definition Language of Love (Part 1)
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-security-descriptor-definition-language-of-love-part-1/ba-p/395202
The Security Descriptor Definition Language of Love (Part 2)
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-security-descriptor-definition-language-of-love-part-2/ba-p/395258
Fail to write to the Windows event log from an ASP.NET or ASP application
https://learn.microsoft.com/en-us/troubleshoot/aspnet/fail-write-event-log
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.