Événements
19 nov., 23 h - 21 nov., 23 h
Participez à des sessions en ligne à Microsoft Ignite créées pour développer vos compétences et vous aider à résoudre les problèmes complexes d’aujourd’hui.
S’inscrire maintenantCe navigateur n’est plus pris en charge.
Effectuez une mise à niveau vers Microsoft Edge pour tirer parti des dernières fonctionnalités, des mises à jour de sécurité et du support technique.
An SDDL string is a single sequence of characters. The format can be ANSI or Unicode; the actual protocol MUST specify the character set that is used. Regardless of the character set used, the characters that can be used are alphanumeric and punctuation.
The format for an SDDL string is described by the following ABNF (as specified in [RFC5234]) grammar, where the elements are as shown here.<80>
sddl = [owner-string] [group-string] [dacl-string] [sacl-string] owner-string = "O:" sid-string group-string = "G:" sid-string dacl-string = "D:" [acl-flag-string] [aces] sacl-string = "S:" [acl-flag-string] [aces] sid-string = sid-token / sid-value sid-value = SID ;defined in section 2.4.2.1 sid-token = "DA"/ "DG" / "DU" / "ED" / "DD" / "DC" / "BA" / "BG" / "BU" / "LA" / "LG" / "AO" / "BO" / "PO" / "SO" / "AU" / "PS" / "CO" / "CG" / "SY" / "PU" / "WD" / "RE" / "IU" / "NU" / "SU" / "RC" / "WR" / "AN" / "SA" / "CA" / "RS" / "EA" / "PA" / "RU" / "LS" / "NS" / "RD" / "NO" / "MU" / "LU" / "IS" / "CY" / "OW" / "ER" / "RO" / "CD" / "AC" / "RA" / "ES" / "MS" / "UD" / "HA" / "CN" / "AA" / "RM" / "LW" / "ME" /"MP" / "HI" / "SI" acl-flag-string = *acl-flag acl-flag = "P" / "AR" / "AI" aces = *(ace / conditional-ace / resource-attribute-ace) ace = "(" ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ")" ace-type = "A" / "D" / "OA" / "OD" / "AU" / "OU" / "ML" / "SP" conditional-ace = "(" conditional-ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ";" "(" cond-expr ")" ")" conditional-ace-type = "XA" / "XD" / "ZA" / "XU" central-policy-ace = "(" "SP" ";" [ace-flag-string] ";;;;" capid-value-sid ")" capid-value-sid = "S-1-17-" 1*SubAuthority ; SubAuthority defined in section 2.4.2.1 resource-attribute-ace = "(" "RA" ";" [ace-flag-string] ";;;;" ( "WD" / "S-1-1-0" ) ";(" attribute-data "))" attribute-data = DQUOTE 1*attr-char2 DQUOTE "," ( TI-attr / TU-attr / TS-attr / TD-attr / TX-attr / TB-attr ) TI-attr = "TI" "," attr-flags *("," int-64) TU-attr = "TU" "," attr-flags *("," uint-64) TS-attr = "TS" "," attr-flags *("," char-string) TD-attr = "TD" "," attr-flags *("," sid-string) TX-attr = "TX" "," attr-flags *("," octet-string) TB-attr = "TB" "," attr-flags *("," ( "0" / "1" ) ) attr-flags = "0x" ([*4HEXDIG "00"] sys-attr-flags / *"0" sys-attr-flags / *"0" HEXDIG) sys-attr-flags = ( "0"/ "1" / "2" / "3" ) HEXDIG ace-flag-string = ace-flag ace-flag-string / "" ace-flag = "CI" / "OI" / "NP" / "IO" / "ID" / "SA" / "FA" ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT ) ; numeric values must fit within 64 bits text-rights-string = generic-rights-string / standard-rights-string / object-specific-rights-string generic-rights-string = generic-right / generic-rights-string / "" generic-right = "GA" / "GW" / "GR" / "GX" standard-rights-string = standard-right / standard-rights-string / "" standard-right = "WO" / "WD" / "RC" / "SD" object-specific-rights-string = object-specific-right / object-specific-rights-string / "" object-specific-right = <any object-specific right, for objects like files, registry keys, directory objects, and others> guid = "" / 8HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 12HEXDIG ; The second option is the GUID of the object in the form ; "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Where each "X" is a Hex digit object-guid = guid inherit-object-guid = guid wspace = 1*(%x09-0D / %x20) term = [wspace] (memberof-op / exists-op / rel-op / contains-op / anyof-op / attr-name / rel-op2) [wspace] ; multiple rules for cond-expr to represent different precedence of || and && ; super-term and factor are intermediate rules and used only in this part of the grammar cond-expr = expr expr = super-term [wspace] *( "||" [wspace] super-term ) super-term = factor [wspace] *( "&&" [wspace] factor ) factor = term factor /= "(" [wspace] expr [wspace] ")" factor /= "!" [wspace] factor ; memberof-op = ( "Member_of" / "Not_Member_of" / "Member_of_Any" / "Not_Member_of_Any" / "Device_Member_of" / "Device_Member_of_Any" / "Not_Device_Member_of" / "Not_Device_Member_of_Any" ) wspace sid-array exists-op = ( "Exists" / "Not_exists") wspace attr-name rel-op = attr-name [wspace] ("<" / "<=" / ">" / ">=") [wspace] (attr-name2 / value) ; only scalars rel-op2 = attr-name [wspace] ("==" / "!=") [wspace] ( attr-name2 / value-array ) ; scalar or list contains-op = attr-name wspace ("Contains" / "Not_Contains") wspace (attr-name2 / value-array) anyof-op = attr-name wspace ("Any_of" / "Not_Any_of") wspace (attr-name2 / value-array) attr-name1 = attr-char1 *(attr-char1 / "@") ; old simple name attr-char1 = 1*(ALPHA / DIGIT / ":" / "." / "/" / "_") attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2 ; new prefixed name form attr-char2 = attr-char1 / lit-char attr-name = attr-name1 / attr-name2 ; either name form sid-array = "{" [wspace] literal-SID [wspace] *( "," [wspace] literal-SID [wspace]) "}" literal-SID = "SID(" sid-string ")" value-array = value [wspace] / "{" [wspace] value [wspace] *("," [wspace] value [wspace]) "}" value = int-64 / char-string / octet-string int-64 = ["+" / "-"] ("0x" 1*HEXDIG) / ("0" 1*%x30-37) / 1*DIGIT ; values must fit within 64 bits in two's complement form uint-64 = ("0x" 1*HEXDIG) / ("0" 1*%x30-37) / 1*DIGIT ; values must fit within 64 bits char-string = DQUOTE *(CHAR) DQUOTE octet-string = "#" *(2HEXDIG) lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF / ( "%" 4HEXDIG) ; 4HEXDIG can have any value except 0000 (NULL)
sid-token: An abbreviated form of a well-known SID, per the following table.
SDDL alias |
Well-Known SID name |
---|---|
"DA" |
DOMAIN_ADMINS |
"DG" |
DOMAIN_GUESTS |
"DU" |
DOMAIN_USERS |
"ED" |
ENTERPRISE_DOMAIN_CONTROLLERS |
"DD" |
DOMAIN_DOMAIN_CONTROLLERS |
"DC" |
DOMAIN_COMPUTERS |
"BA" |
BUILTIN_ADMINISTRATORS |
"BG" |
BUILTIN_GUESTS |
"BU" |
BUILTIN_USERS |
"LA" |
ADMINISTRATOR<81> |
"LG" |
GUEST |
"AO" |
ACCOUNT_OPERATORS |
"BO" |
BACKUP_OPERATORS |
"PO" |
PRINTER_OPERATORS |
"SO" |
SERVER_OPERATORS |
"AU" |
AUTHENTICATED_USERS |
"PS" |
PRINCIPAL_SELF |
"CO" |
CREATOR_OWNER |
"CG" |
CREATOR_GROUP |
"SY" |
LOCAL_SYSTEM |
"PU" |
POWER_USERS |
"WD" |
EVERYONE |
"RE" |
REPLICATOR |
"IU" |
INTERACTIVE |
"NU" |
NETWORK |
"SU" |
SERVICE |
"RC" |
RESTRICTED_CODE |
"WR" |
WRITE_RESTRICTED_CODE |
"AN" |
ANONYMOUS |
"SA" |
SCHEMA_ADMINISTRATORS |
"CA" |
CERT_PUBLISHERS |
"RS" |
RAS_SERVERS |
"EA" |
ENTERPRISE_ADMINS |
"PA" |
GROUP_POLICY_CREATOR_OWNER |
"RU" |
ALIAS_PREW2KCOMPACC |
"LS" |
LOCAL_SERVICE |
"NS" |
NETWORK_SERVICE |
"RD" |
REMOTE_DESKTOP |
"NO" |
NETWORK_CONFIGURATION_OPS |
"MU" |
PERFMON_USERS |
"LU" |
PERFLOG_USERS |
"IS" |
IIS_USERS |
"CY" |
CRYPTO_OPERATORS |
"OW" |
OWNER_RIGHTS |
"ER" |
EVENT_LOG_READERS |
"RO" |
ENTERPRISE_RO_DCS |
"CD" |
CERTSVC_DCOM_ACCESS |
"AC" |
ALL_APP_PACKAGES |
"RA" |
RDS_REMOTE_ACCESS_SERVERS |
"ES" |
RDS_ENDPOINT_SERVERS |
"MS" |
RDS_MANAGEMENT_SERVERS |
"UD" |
USER_MODE_DRIVERS |
"HA" |
HYPER_V_ADMINS |
"CN" |
CLONEABLE_CONTROLLERS |
"AA" |
ACCESS_CONTROL_ASSISTANCE_OPS |
"RM" |
REMOTE_MANAGEMENT_USERS |
"LW" |
ML_LOW |
"ME" |
ML_MEDIUM |
"MP" |
ML MEDIUM PLUS |
"HI" |
ML_HIGH |
"SI" |
ML_SYSTEM |
acl-flag: Flags for the SECURITY_DESCRIPTOR structure, context dependent on whether a SACL or DACL is being processed. These flags are derived from the SECURITY_DESCRIPTOR Control flags specified in section 2.4.6. "P" indicates Protected PS or PD flags from that section, "AR" corresponds to SC or DC, and "AI" indicates SI or DI.
ace-type: String that indicates the type of ACE that is being presented.
String |
ACE type |
---|---|
"A" |
Access Allowed |
"D" |
Access Denied |
"AU" |
Audit |
"OA" |
Object Access Allowed |
"OD" |
Object Access Denied |
"OU" |
Object Audit |
"ML" |
Mandatory Label |
"SP" |
Central Policy ID |
conditional-ace-type: String that indicates the type of SDDL-supported conditional ACE that is being presented.<82>
String |
ACE type |
Numeric value |
---|---|---|
"XA" |
Access Allowed Callback |
0x9 |
"XD" |
Access Denied Callback |
0xA |
"XU" |
Audit Callback |
0xB |
"ZA" |
Object Access Allowed Callback |
0xD |
central-policy-ace: An ACE type that identifies a central policy to be applied to the resource. Also called a SYSTEM_SCOPED_POLICY_ID ACE (see section 2.4.4.16).<83>
capid-value-sid: A SID with an Authority value of 17 that refers to a CentralAccessPolicy within a CentralAccessPolicysList ([MS-GPCAP] section 3.2.1.1).<84>
resource-attribute-ace: An ACE type that defines a resource attribute (sometimes referred to as a resource property or resource claim.) See section 2.4.4.15.<85>
attribute-data: A string specifying the name of a resource attribute and data defining the type and value of the attribute. A resource attribute type can be identified with one of the following strings:<86>
String |
Resource Attribute Type |
---|---|
"TI" |
64-bit Integer |
"TU" |
Unsigned 64-bit integer |
"TS" |
String of Unicode characters |
"TD" |
A SID in string form |
"TX" |
A string of single byte (octet) values |
"TB" |
A string containing a Boolean value represented by a "1" (True) or a "0" (False.) |
attr-flags: A 32-bit number containing flag values within a resource attribute. The bits 16-31 can contain custom values. Bits 0 through 15 are specified by sys-attr-flags.
sys-attr-flags: A two-byte integer that MAY be zero or any combination of the hexadecimal flag values of the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structure (section 2.4.10.1)
ace-flag-string: A set of ACE flags that define the behavior of the ACE. The strings correlate exactly to the flags as specified in section 2.4.4.1.
generic-rights-string: A set of generic user rights used to perform generic mappings to object-specific rights.
String |
Access right |
Hex value |
---|---|---|
"GR" |
Generic Read |
0x80000000 |
"GW" |
Generic Write |
0x40000000 |
"GX" |
Generic Execute |
0x20000000 |
"GA" |
Generic All |
0x10000000 |
standard-rights-string: A set of SDDL-supported standard user rights.
String |
Access right |
Hex value |
---|---|---|
"WO" |
Write Owner |
0x00080000 |
"WD" |
Write DAC |
0x00040000 |
"RC" |
Read Control |
0x00020000 |
"SD" |
Delete |
0x00010000 |
object-specific-rights-string: A set of object-specific rights; some common ones are shown, but the it is recommended that the reader consult a specific protocol for applicable values, if any, in that protocol.
String |
Object type |
Access right |
Hex value |
---|---|---|---|
"FA" |
File |
File All Access |
0x001F01FF |
"FX" |
File |
File Execute |
0x001200A0 |
"FW" |
File |
File Write |
0x00120116 |
"FR" |
File |
File Read |
0x00120089 |
"KA" |
Registry Key |
Key All Access |
0x000F003F |
"KR" |
Registry Key |
Key Read |
0x00020019 |
"KX" |
Registry Key |
Key Execute |
0x00020019 |
"KW" |
Registry Key |
Key Write |
0x00020006 |
"CR" |
Directory Object |
Control Access |
0x00000100 |
"LO" |
Directory Object |
List Object |
0x00000080 |
"DT" |
Directory Object |
Delete Tree |
0x00000040 |
"WP" |
Directory Object |
Write Property |
0x00000020 |
"RP" |
Directory Object |
Read Property |
0x00000010 |
"SW" |
Directory Object |
Self Write |
0x00000008 |
"LC" |
Directory Object |
List Children |
0x00000004 |
"DC" |
Directory Object |
Delete Child |
0x00000002 |
"CC" |
Directory Object |
Create Child |
0x00000001 |
term: A string specifying a stand-alone logical expression, which is the simplest form of conditional expression, or a part of a more complex conditional expression.
cond-expr: A conditional expression in textual form. Conditional expressions are specified in section 2.4.4.17.
memberof-op: A string identifying a Member_of type of operator as described in section 2.4.4.17.6. <87>
exists-op: A string identifying an exists type operator as described in section 2.4.4.17.7.
rel-op: A string specifying a binary relational operation containing an attribute name or reference, one of the following relational operators, "==" , "!=" , "<" , "<=" , ">" , ">=" (without quotes) identifying a relational operator as described in section 2.4.4.17.6, and an attribute name or literal value.
rel-op2: A string specifying a binary operator for certain operators that support set comparisons. The string contains an attribute name, a string specifying the operator, "==" or "!=", and a string specifying an array of values (value-array).<88>
contains-op: A string specifying a relational operator term using a Contains or Not_Contains operator.<89>
anyof-op: A string specifying a relational operator term using an Any_of or Not_Any_of operator.<90>
sid-array: A string representation of an array of string SIDs.
literal-SID: A string specifying a literal SID. A literal-SID MUST be prefixed by the string "SID" followed by a sid-value enclosed in parentheses.
attr-name1: A string representing a valid attribute name in simple form.<91> An attribute name in simple form MUST not begin with the "@" character and MUST be comprised only of characters defined by attr-char1. An example of an attribute in simple form is "Title" (without quotes.) See section 2.5.1.2.1.
attr-name2: A string representing a valid attribute name in @Prefixed form. An attribute name is in @Prefixed form when it is prefixed with the string "@User.", "@Device.", or "@Resource." and is comprised only of characters defined by attr-char2. An example of an attribute in @Prefixed form is "@User.Title" (without quotes.) See section 2.5.1.2.2.<92>
attr-char1: A character valid for use in an attribute name in simple form. Valid characters include any ALPHA or DIGIT (as specified in [RFC5234]) or any of the following: ":", ".", "/", "_".
attr-char2: A character valid for use in an attribute name in @Prefixed form. Valid characters include all ASCII and UNICODE characters of the range 0x0-0xFFFF. Characters MAY be encoded either as literals or be encoded with a five-character sequence %XXXX, where XXXX are hexadecimal digits that represent the corresponding 16-bit Unicode value of the character with the following exceptions:
The following characters: "!", "&", "(", ")", ">", "<", "=", "|", "%", SP (space) and DQUOTE (as specified in [RFC5234]) MUST be encoded in the preceding five-character sequence.
The following characters MUST be encoded as literals: "#", "$", "'", "*", "+", "-", ".", "/", ":", ";", "?", "@", "[", "\", "]", "^", "_", "`", "{", "}", "~" and any characters in the ASCII ranges 0x41-0x5A (A-Z), 0x61-0x7A (a-z) and 0x30-0x39 (0-9.)
value-array: A string specifying an array of values. A value-array can be a single value or a set of one or more comma-delineated values where the entire set of values is enclosed between the "{" and "}" symbols.
Événements
19 nov., 23 h - 21 nov., 23 h
Participez à des sessions en ligne à Microsoft Ignite créées pour développer vos compétences et vous aider à résoudre les problèmes complexes d’aujourd’hui.
S’inscrire maintenant