Skip to main content
The Sddl tool works with Windows security descriptors represented in Security Descriptor Definition Language (SDDL) or raw binary form. Use it to understand access control entries, convert between SDDL and binary representations, resolve well-known SIDs, and look up Active Directory extended rights and property GUIDs.

Subcommands

CommandDescription
describeParse and describe a security descriptor
lookupguidLook up a GUID for an AD extended right, property, or property set
lookupwksLook up a well-known SID
For help on any subcommand, run Sddl <subcommand> -h.

describe

Parses a security descriptor and prints a human-readable description of its owner, group, DACL, and SACL. Accepts input in either SDDL string form or as a hex-encoded binary security descriptor. 
Sddl describe [options] <SddlOrHex>
SddlOrHex
SecurityDescriptor[]
required
One or more security descriptors. Each may be:
  • An SDDL string: O:BAG:SYD:(A;;0x1F;;;BA)
  • A hex-encoded binary security descriptor: 010004805800...
-ObjectType
string
The type of object the security descriptor belongs to. Controls how access mask bits are translated to named permissions. Defaults to File if not specified. Possible values:
  • File
  • Directory
  • RegistryKey
  • SamServer
  • SamDomain
  • SamGroup
  • SamAlias
  • SamUserAccount
  • DirectoryObject
  • Scm
  • Service
-PrintHex
boolean
Print the binary form of the security descriptor as a hex string. Use this to convert an SDDL input to its binary representation.
-PrintSddl
boolean
Print the SDDL form of the security descriptor. Use this to convert a binary hex input to SDDL.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.
-Verbose (-V)
boolean
Print verbose messages.
-Diagnostic (-vv)
boolean
Print diagnostic messages.

Conversion

-PrintHex and -PrintSddl let you convert between representations:
  • Pass an SDDL string and use -PrintHex to get the binary form.
  • Pass a hex-encoded binary and use -PrintSddl to get the SDDL string.

Examples

Sddl describe O:BAG:SYD:PAI(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CI;KA;;;LS)(A;CI;KA;;;NS)(A;CI;KR;;;IU)(A;CI;KA;;;SY) -ObjectType RegistryKey

lookupguid

Looks up one or more GUIDs and identifies them as Active Directory extended rights, properties, or property sets. 
Sddl lookupguid [options] <Guid>
Guid
Guid[]
required
One or more GUIDs to look up, in standard {...} or plain hyphenated format. Separate multiple GUIDs with commas.
-OutputFields
string[]
Fields to display. Possible values: EqualityContract, Guid, Kind, Name.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.

Example

Sddl lookupguid 5f202010-79a5-11d0-9020-00c04fc2d4cf, 4c164200-20c0-11d0-a768-00aa006e0529
This command identifies the two GUIDs — one is the “Logon Information” property set and the other is the “Account Restrictions” property set.

lookupwks

Looks up well-known SIDs by their string SID or well-known SID (WKS) abbreviation. 
Sddl lookupwks [options] <SidOrWks>
SidOrWks
SecurityIdentifier[]
required
One or more SID strings or WKS abbreviations to look up. Separate multiple values with commas. Accepts:
  • Well-known SID abbreviations: DA, BA, SY, BU
  • String SIDs: S-1-18-1
  • Domain placeholder SIDs: S-1-5-21-&lt;domain&gt;-512
-OutputFields
string[]
Fields to display. Possible values: EqualityContract, Wks, Sid.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.

Examples

Sddl lookupwks DA, S-1-18-1

Common usage patterns

Pipe or pass the SDDL output from Reg getsd directly into Sddl describe to get a readable breakdown:
# Get the DACL as SDDL from the remote registry
Reg getsd -UserName admin@CORP -Password P@ss LUMON-FS1 HKCU\Software

# Then describe the SDDL output
Sddl describe "O:BAG:SYD:PAI(A;CI;KA;;;BA)..." -ObjectType RegistryKey
Active Directory DACL entries on directory objects often use GUIDs to reference extended rights or attribute property sets. Use lookupguid to identify them:
Sddl lookupguid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
This identifies the GUID as the “DS-Replication-Get-Changes” extended right (required for DCSync).
Security descriptor values in the registry (Reg getsd) or LDAP (nTSecurityDescriptor attribute) may be returned as hex bytes. Use Sddl describe with -PrintSddl to convert them:
Sddl describe 010004805800000068000000... -PrintSddl

Reg getsd

Retrieve security descriptors from remote registry keys.

Reg setsd

Apply SDDL security descriptors to registry keys.

Ldap

Query the nTSecurityDescriptor attribute on AD objects.

Build docs developers (and LLMs) love

Get started for freeTalk to us