Wahmans Powershell Blog

ConvertFrom-SddlString

Understanding ConvertFrom-SddlString in PowerShell

Welcome back to Wahman’s PowerShell Blog! Today, we’re diving into the ConvertFrom-SddlString cmdlet — a lesser-known but potent tool in the PowerShell arsenal. If you’ve ever worked with security descriptors in Windows, you may have encountered SDDL (Security Descriptor Definition Language). This cmdlet helps convert those complex SDDL strings into understandable and structured PowerShell objects.

Cmdlet Description

The Microsoft definition of ConvertFrom-SddlString is:

“Converts a SDDL string to a custom object.”

Essentially, this cmdlet parses a raw SDDL string and provides a readable output that simplifies security descriptor analysis, revealing Owner, Group, DACL (Discretionary Access Control List), and SACL (System Access Control List).

Example 1 – Basic Conversion

A simple example to convert an SDDL string to a readable object:

$sddl = 'O:BAG:BAD:(A;;FA;;;SY)(A;;FA;;;BA)'
$sdObject = ConvertFrom-SddlString -Sddl $sddl
$sdObject

This command parses the SDDL and outputs an object showing the Owner, Group, DACL, and SACL parts. Great for understanding what permissions are set at a glance!

Example 2 – Inspecting File ACLs

You can extract the SDDL from a file and convert it for better readability:

$file = "C:\\Windows\\System32\\notepad.exe"
$sddl = (Get-Acl -Path $file).Sddl
$sdObject = ConvertFrom-SddlString -Sddl $sddl
$sdObject.Dacl

This shows the Access Control List for the file in a structured format—a great help during file security audits.

Example 3 – Filtering ACE Entries

Suppose you want to find all ACEs (Access Control Entries) related to the SYSTEM account:

$file = "C:\\Windows\\System32\\notepad.exe"
$sddl = (Get-Acl -Path $file).Sddl
$sdObject = ConvertFrom-SddlString -Sddl $sddl
$sdObject.Dacl | Where-Object { $_.SecurityIdentifier.Value -like '*S-1-5-18*' }

This filters the DACL entries to only those that involve the SYSTEM SID (S-1-5-18).

Example 4 – Advanced Reporting on Folder Permissions

Let’s say you’re building a report of permissions across multiple folders:

$folders = Get-ChildItem -Path "C:\\Data" -Directory

foreach ($folder in $folders) {
    $sddl = (Get-Acl -Path $folder.FullName).Sddl
    $sdObject = ConvertFrom-SddlString -Sddl $sddl

    foreach ($ace in $sdObject.Dacl) {
        [PSCustomObject]@{
            Folder = $folder.FullName
            SID = $ace.SecurityIdentifier.Value
            AccessType = $ace.AccessType
            Rights = $ace.FileSystemRights
        }
    }
} | Export-Csv -Path "C:\\PermissionReport.csv" -NoTypeInformation

This script loops through multiple directories, evaluates their access control lists, dissects each ACE, and exports the results to a CSV file for auditing or documentation.

Conclusion

The ConvertFrom-SddlString cmdlet is a fantastic way to bridge the gap between the arcane world of SDDL strings and the structured clarity of PowerShell objects. Whether you’re inspecting file permissions, auditing folder access rights, or just trying to understand security configurations—this cmdlet is your friend.

Happy scripting, and I will see you in the next post!

Leave a Reply

Your email address will not be published. Required fields are marked *