Wahmans Powershell Blog

ConvertFrom-SddlString

Exploring ConvertFrom-SddlString Cmdlet in PowerShell

Welcome back to Wahmans PowerShell Blog!

Today, we’re diving into ConvertFrom-SddlString — a neat cmdlet introduced in PowerShell 7.2. This cmdlet lets you convert a SDDL (Security Descriptor Definition Language) string into a structured object that you can easily inspect or manipulate with PowerShell.

From managing file system permissions to inspecting Active Directory security descriptors, SDDL strings are everywhere when it comes to security metadata. Up until now, decoding them in PowerShell was painful. Thankfully, ConvertFrom-SddlString makes things MUCH easier!

Cmdlet Syntax

ConvertFrom-SddlString [-Sddl] <string> [<CommonParameters>]

Let’s go through some practical examples, ranging from beginner to more advanced use cases.

🔰 Example 1 – Basic Conversion

Let’s take a simple SDDL string and convert it to an object.

$sddl = 'D:PAI(A;;FA;;;SY)(A;;FA;;;BA)'
$sdObject = ConvertFrom-SddlString -Sddl $sddl
$sdObject

This will output a custom object representing the DACL (Discretionary Access Control List), showing who has what permissions.

🔍 Example 2 – Extracting Permission Entries (ACEs)

Once you’ve converted the SDDL, you can dig into the Access Control Entries (ACEs):

$sddl = 'D:PAI(A;;FA;;;SY)(A;;FA;;;BA)'
$sdObject = ConvertFrom-SddlString -Sddl $sddl
$sdObject.DiscretionaryAcl | ForEach-Object {
    "Identity: $($_.SecurityIdentifier.Value), Rights: $($_.AccessMask)"
}

This is useful when you want to audit or log ACLs programmatically.

🛠 Example 3 – Reading SDDL from a File and Parsing

Let’s say you have a folder and want to get its SDDL string and decode it:

$path = 'C:\MyFolder'
$sddl = (Get-Acl -Path $path).Sddl
$sdObject = ConvertFrom-SddlString -Sddl $sddl

# Display owner and group
"Owner: $($sdObject.Owner)"
"Group: $($sdObject.Group)"

This is useful when inspecting permissions on the file system.

🔒 Example 4 – Script Automation: Checking for Admin Full Control

In a security audit script, you might need to check if the Administrators group has Full Control on specific folders:

$path = 'C:\SecureFolder'
$sddl = (Get-Acl -Path $path).Sddl
$sdObject = ConvertFrom-SddlString -Sddl $sddl

$adminSID = (New-Object System.Security.Principal.NTAccount('BUILTIN','Administrators')).Translate([System.Security.Principal.SecurityIdentifier])

$hasFullControl = $sdObject.DiscretionaryAcl | Where-Object {
    $_.SecurityIdentifier -eq $adminSID -and $_.AccessMask -eq 2032127  # FA (Full Access)
}

if ($hasFullControl) {
    Write-Output "Administrators have Full Control."
} else {
    Write-Warning "Administrators do NOT have Full Control!"
}

You can now integrate permission checks into your Daily CI/CD pipelines easily!

Conclusion

ConvertFrom-SddlString is one of those hidden gems that can make permission analysis and auditing much more manageable in PowerShell. Whether you’re debugging access issues or building automation, this tool gives you the power to interpret SDDL like a pro.

Happy scripting, and I will see you in the next post!

Leave a Reply

Your email address will not be published. Required fields are marked *