PoshCode Archive  Artifact [f58663aea9]

Artifact f58663aea9969cfc5dfc6b75f01a4a47f976e649b499f7bdca70e51b649db3ba:

  • File ConvertFrom-SDDL.ps1 — part of check-in [127699139a] at 2018-06-10 14:15:20 on branch trunk — channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0×5;;;BA)(A;;0×1;;;S-1-5-32-573) (user: Matthew Graeber size: 5200)

# encoding: ascii
# api: powershell
# title: ConvertFrom-SDDL
# description: channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0×5;;;BA)(A;;0×1;;;S-1-5-32-573)
# version: 0.1
# type: script
# author: Matthew Graeber 
# license: CC0
# x-poshcode-id: 6412
# x-archived: 2016-09-08T23:03:40
# x-published: 2016-06-28T01:40:00
filter ConvertFrom-SDDL

    Convert a raw security descriptor from SDDL form to a parsed security descriptor.

    Author: Matthew Graeber (@mattifestation)


    ConvertFrom-SDDL generates a parsed security descriptor based upon any string in raw security descriptor definition language (SDDL) form. ConvertFrom-SDDL will parse the SDDL regardless of the type of object the security descriptor represents.


    Specifies the security descriptor in raw SDDL form.


    ConvertFrom-SDDL -RawSDDL 'D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)'


    'O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)', 'O:BAG:SYD:PAI(D;OICI;FA;;;BG)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)' | ConvertFrom-SDDL



    ConvertFrom-SDDL accepts SDDL strings from the pipeline





    Param (
        [Parameter( Position = 0, Mandatory = $True, ValueFromPipeline = $True )]

    Set-StrictMode -Version 2

    # Get reference to sealed RawSecurityDescriptor class
    $RawSecurityDescriptor = [Int].Assembly.GetTypes() | ? { $_.FullName -eq 'System.Security.AccessControl.RawSecurityDescriptor' }

    # Create an instance of the RawSecurityDescriptor class based upon the provided raw SDDL
        $Sddl = [Activator]::CreateInstance($RawSecurityDescriptor, [Object[]] @($RawSDDL))
    catch [Management.Automation.MethodInvocationException]
        throw $Error[0]

    if ($Sddl.Group -eq $null)
        $Group = $null
        $SID = $Sddl.Group
        $Group = $SID.Translate([Security.Principal.NTAccount]).Value
    if ($Sddl.Owner -eq $null)
        $Owner = $null
        $SID = $Sddl.Owner
        $Owner = $SID.Translate([Security.Principal.NTAccount]).Value

    $ObjectProperties = @{
        Group = $Group
        Owner = $Owner

    if ($Sddl.DiscretionaryAcl -eq $null)
        $Dacl = $null
        $DaclArray = New-Object PSObject[](0)

        $ValueTable = @{}

        $EnumValueStrings = [Enum]::GetNames([System.Security.AccessControl.CryptoKeyRights])
        $CryptoEnumValues = $EnumValueStrings | % {
                $EnumValue = [Security.AccessControl.CryptoKeyRights] $_
                if (-not $ValueTable.ContainsKey($EnumValue.value__))
                $ValueTable[$EnumValue.value__] = 1

        $EnumValueStrings = [Enum]::GetNames([System.Security.AccessControl.FileSystemRights])
        $FileEnumValues = $EnumValueStrings | % {
                $EnumValue = [Security.AccessControl.FileSystemRights] $_
                if (-not $ValueTable.ContainsKey($EnumValue.value__))
                $ValueTable[$EnumValue.value__] = 1

        $EnumValues = $CryptoEnumValues + $FileEnumValues

        foreach ($DaclEntry in $Sddl.DiscretionaryAcl)
            $SID = $DaclEntry.SecurityIdentifier
            $Account = $SID.Translate([Security.Principal.NTAccount]).Value

            $Values = New-Object String[](0)

            # Resolve access mask
            foreach ($Value in $EnumValues)
                if (($DaclEntry.Accessmask -band $Value) -eq $Value)
                    $Values += $Value.ToString()

            $Access = "$($Values -join ',')"

            $DaclTable = @{
                Rights = $Access
                IdentityReference = $Account
                IsInherited = $DaclEntry.IsInherited
                InheritanceFlags = $DaclEntry.InheritanceFlags
                PropagationFlags = $DaclEntry.PropagationFlags

            if ($DaclEntry.AceType.ToString().Contains('Allowed'))
                $DaclTable['AccessControlType'] = [Security.AccessControl.AccessControlType]::Allow
                $DaclTable['AccessControlType'] = [Security.AccessControl.AccessControlType]::Deny

            $DaclArray += New-Object PSObject -Property $DaclTable

        $Dacl = $DaclArray

    $ObjectProperties['Access'] = $Dacl

    $SecurityDescriptor = New-Object PSObject -Property $ObjectProperties

    Write-Output $SecurityDescriptor