Replacing NTFS Permissions with SDDL Information

by Dec 18, 2014

All PowerShell versions

With Get-Acl, you can output the security information from files and folders as plain text in SDDL format (Security Descriptor Definition Language):

$FolderToRead = 'C:\folder1'

$securityDescriptor = Get-Acl -Path $FolderToRead
$securityDescriptor.GetSecurityDescriptorSddlForm('All') 

You could pipe the SDDL to the clipboard, and then paste it into another script:

$FolderToRead = 'C:\folder1'

$securityDescriptor = Get-Acl -Path $FolderToRead
$securityDescriptor.GetSecurityDescriptorSddlForm('All') | clip.exe 

Add the SDDL to a script like this, for example (note that SDDL is always one line. So do not add line breaks):

$sddl = 'O:S-1-5-21-2649034417-1209187175-3910605729-1000G:S-1-5-21-2649034417-1209187175-3910605729-513D:(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)'


$FolderToConfigure = 'C:\folder2'

$securityDescriptor = Get-Acl -Path $FolderToConfigure
$securityDescriptor.SetSecurityDescriptorSddlForm($sddl)
Set-Acl -Path $FolderToConfigure -AclObject $securityDescriptor 

By inserting SDDL into a script, you no longer need the template folder that you used to generate the SDDL. You can now apply the security information to other file system objects, set basic NTFS permissions, or change the SDDL before you apply it.

To provide you with some inspiration, in a domain migration scenario, you could, for example, create a translation table that translates old SIDs with new SIDs. Then, replace the old SIDs in the SDDL with the new SIDs, and clone the recorded security information to objects in a new (or test) domain.

Twitter This Tip! ReTweet this Tip!