ConvertFrom-SddlString
Converts a SDDL string to a custom object.
Syntax
ConvertFrom-SddlString
[-Sddl] <String>
[-Type <AccessRightTypeNames>]
[<CommonParameters>] Description
This cmdlet is only available on the Windows platform.
The ConvertFrom-SddlString cmdlet converts a Security Descriptor Definition Language string to a
custom PSCustomObject object with the following properties: Owner, Group, DiscretionaryAcl,
SystemAcl and RawDescriptor.
Owner, Group, DiscretionaryAcl and SystemAcl properties contain a readable text representation of the access rights specified in a SDDL string.
This cmdlet was introduced in PowerShell 5.0.
Examples
Example 1: Convert file system access rights SDDL to a PSCustomObject
$acl = Get-Acl -Path C:\Windows
ConvertFrom-SddlString -Sddl $acl.SddlThe first command uses the Get-Acl cmdlet to get the security descriptor for the C:\Windows folder
and saves it in the variable.
The second command uses the ConvertFrom-SddlString cmdlet to get the text representation of the
SDDL string, contained in the Sddl property of the object representing the security descriptor.
Example 2: Convert registry access rights SDDL to a PSCustomObject
$acl = Get-Acl HKLM:\SOFTWARE\Microsoft\
ConvertFrom-SddlString -Sddl $acl.Sddl -Type RegistryRightsThe first command uses the Get-Acl cmdlet to get the security descriptor for the
HKLM:\SOFTWARE\Microsoft\ key and saves it in the variable.
The second command uses the ConvertFrom-SddlString cmdlet to get the text representation of the
SDDL string, contained in the Sddl property of the object representing the security descriptor.
It uses the -Type parameter to specify that SDDL string represents a registry security descriptor.
Example 3: Convert registry access rights SDDL to a PSCustomObject by using ConvertFrom-SddlString with and without the `-Type` parameter
$acl = Get-Acl -Path HKLM:\SOFTWARE\Microsoft\
ConvertFrom-SddlString -Sddl $acl.Sddl | Foreach-Object {$_.DiscretionaryAcl[0]}
BUILTIN\Administrators: AccessAllowed (ChangePermissions, CreateDirectories, Delete, ExecuteKey, FullControl, GenericExecute, GenericWrite, ListDirectory, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, WriteData, WriteExtendedAttributes, WriteKey)
ConvertFrom-SddlString -Sddl $acl.Sddl -Type RegistryRights | Foreach-Object {$_.DiscretionaryAcl[0]}
BUILTIN\Administrators: AccessAllowed (ChangePermissions, CreateLink, CreateSubKey, Delete, EnumerateSubKeys, ExecuteKey, FullControl, GenericExecute, GenericWrite, Notify, QueryValues, ReadPermissions, SetValue, TakeOwnership, WriteKey)The first command uses the Get-Acl cmdlet to get the security descriptor for the
HKLM:\SOFTWARE\Microsoft\ key and saves it in the variable.
The second command uses the ConvertFrom-SddlString cmdlet to get the text representation of the
SDDL string, contained in the Sddl property of the object representing the security descriptor.
It doesn't use the -Type parameter, so the access rights shown are for file system.
The third command uses the ConvertFrom-SddlString cmdlet with the -Type parameter, so the access
rights returned are for registry.
Parameters
-Sddl
Specifies the string representing the security descriptor in SDDL syntax.
| Type: | String |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Type
Specifies the type of rights that SDDL string represents.
The acceptable values for this parameter are:
- FileSystemRights
- RegistryRights
- ActiveDirectoryRights
- MutexRights
- SemaphoreRights
- CryptoKeyRights
- EventWaitHandleRights
By default cmdlet uses file system rights.
CryptoKeyRights and ActiveDirectoryRights are not supported in PowerShell v6 and higher.
| Type: | Microsoft.PowerShell.Commands.ConvertFromSddlStringCommand+AccessRightTypeNames |
| Accepted values: | FileSystemRights, RegistryRights, ActiveDirectoryRights, MutexRights, SemaphoreRights, CryptoKeyRights, EventWaitHandleRights |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
You can pipe a SDDL string to this cmdlet.
Notes
This cmdlet is only available on Windows platforms.
