{"id":106640,"date":"2022-05-10T07:00:00","date_gmt":"2022-05-10T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=106640"},"modified":"2022-05-10T07:29:34","modified_gmt":"2022-05-10T14:29:34","slug":"20220510-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20220510-00\/?p=106640","title":{"rendered":"A brief summary of the various versions of the Security Descriptor Definition Language (SDDL)"},"content":{"rendered":"<p>The Security Descriptor Definition Language (SDDL) was introduced in Windows 2000 to provide a textual representation for security descriptors. Prior to its introduction, security descriptors were typically represented as hex bytes, which was not particularly readable or editable.<\/p>\n<p>Although the only defined revision number is 1, there have actually been quite a few revisions to the Security Descriptor Definition Language, which makes you wonder what that version number was for. The fact that the version number hasn&#8217;t changed when the language changed means that if you call <code>Convert\u00adSecurity\u00adDescriptor\u00adTo\u00adString\u00adSecurity\u00adDescriptor<\/code>, you will get a string security descriptor that works on the version of Windows that generated it, but it may not work on older versions of Windows, because the older versions may not support some of the newer features.<\/p>\n<p>Oops.<\/p>\n<p>Okay, so here&#8217;s a history of the Security Descriptor Definition Language, in table form.<\/p>\n<p><b>SDDL Component Tags<\/b><\/p>\n<table class=\"cp3\" style=\"border-collapse: collapse;\" border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Code<\/th>\n<th>Meaning<br \/>\nSymbol<\/th>\n<th>Introduced<\/th>\n<\/tr>\n<tr>\n<td valign=\"baseline\">O<\/td>\n<td valign=\"baseline\">Owner<br \/>\n<code style=\"font-size: 90%;\">SDDL_OWNER<\/code><br \/>\n<code style=\"font-size: 90%;\">OWNER_SECURITY_INFORMATION<\/code><\/td>\n<td rowspan=\"4\" valign=\"baseline\">Windows 2000<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">G<\/td>\n<td valign=\"baseline\">Group<br \/>\n<code style=\"font-size: 90%;\">SDDL_GROUP<\/code><br \/>\n<code style=\"font-size: 90%;\">GROUP_SECURITY_INFORMATION<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">D<\/td>\n<td valign=\"baseline\">DACL<br \/>\n<code style=\"font-size: 90%;\">SDDL_DACL<\/code><br \/>\n<code style=\"font-size: 90%;\">DACL_SECURITY_INFORMATION<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">S<\/td>\n<td valign=\"baseline\">SACL<br \/>\n<code style=\"font-size: 90%;\">SDDL_SACL<\/code><br \/>\n<code style=\"font-size: 90%;\">SACL_SECURITY_INFORMATION<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>SDDL Security Descriptor Controls<\/b><\/p>\n<table class=\"cp3\" style=\"border-collapse: collapse;\" border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<th>Introduced<\/th>\n<\/tr>\n<tr>\n<td valign=\"baseline\">P<\/td>\n<td valign=\"baseline\">Protected<br \/>\n<code style=\"font-size: 90%;\">SDDL_PROTECTED<\/code><br \/>\n<code style=\"font-size: 90%;\">SE_DACL_PROTECTED<\/code><br \/>\n<code style=\"font-size: 90%;\">SE_SACL_PROTECTED<\/code><\/td>\n<td rowspan=\"3\" valign=\"baseline\">Windows 2000<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AR<\/td>\n<td valign=\"baseline\">Auto inherit request<br \/>\n<code style=\"font-size: 90%;\">SDDL_AUTO_INHERIT_REQ<\/code><br \/>\n<code style=\"font-size: 90%;\">SE_DACL_AUTO_INHERIT_REQ<\/code><br \/>\n<code style=\"font-size: 90%;\">SE_SACL_AUTO_INHERIT_REQ<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AI<\/td>\n<td valign=\"baseline\">Auto inherited<br \/>\n<code style=\"font-size: 90%;\">SDDL_AUTO_INHERITED<\/code><br \/>\n<code style=\"font-size: 90%;\">SE_DACL_AUTO_INHERITED<\/code><br \/>\n<code style=\"font-size: 90%;\">SE_SACL_AUTO_INHERITED<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"font-size: 80%;\" valign=\"baseline\">NO_ACCESS_CONTROL<\/td>\n<td valign=\"baseline\">Null ACL<br \/>\n<code style=\"font-size: 90%;\">SDDL_NULL_ACL<\/code><\/td>\n<td valign=\"baseline\">Windows 7<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>SDDL ACE Types<\/b><\/p>\n<table class=\"cp3\" style=\"border-collapse: collapse;\" border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<th>Introduced<\/th>\n<\/tr>\n<tr>\n<td valign=\"baseline\">A<\/td>\n<td valign=\"baseline\">Access allowed<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACCESS_ALLOWED<\/code><br \/>\n<code style=\"font-size: 90%;\">ACCESS_ALLOWED_ACE_TYPE<\/code><\/td>\n<td rowspan=\"8\" valign=\"baseline\">Windows 2000<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">D<\/td>\n<td valign=\"baseline\">Access denied<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACCESS_DENIED<\/code><br \/>\n<code style=\"font-size: 90%;\">ACCESS_DENIED_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">OA<\/td>\n<td valign=\"baseline\">Object access allowed<br \/>\n<code style=\"font-size: 90%;\">SDDL_OBJECT_ACCESS_ALLOWED<\/code><br \/>\n<code style=\"font-size: 90%;\">ACCESS_ALLOWED_OBJECT_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">OD<\/td>\n<td valign=\"baseline\">Object access denied<br \/>\n<code style=\"font-size: 90%;\">SDDL_OBJECT_ACCESS_DENIED<\/code><br \/>\n<code style=\"font-size: 90%;\">ACCESS_DENIED_OBJECT_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AU<\/td>\n<td valign=\"baseline\">Audit<br \/>\n<code style=\"font-size: 90%;\">SDDL_AUDIT<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_AUDIT_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AL<\/td>\n<td valign=\"baseline\">Alarm<br \/>\n<code style=\"font-size: 90%;\">SDDL_ALARM<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_ALARM_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">OU<\/td>\n<td valign=\"baseline\">Object audit<br \/>\n<code style=\"font-size: 90%;\">SDDL_OBJECT_AUDIT<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_AUDIT_OBJECT_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">OL<\/td>\n<td valign=\"baseline\">Object alarm<br \/>\n<code style=\"font-size: 90%;\">SDDL_OBJECT_ALARM<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_ALARM_OBJECT_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">ML<\/td>\n<td valign=\"baseline\">Integrity label<br \/>\n<code style=\"font-size: 90%;\">SDDL_MANDATORY_LABEL<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_MANDATORY_LABEL_ACE_TYPE<\/code><\/td>\n<td valign=\"baseline\">Windows Vista<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">XA<\/td>\n<td valign=\"baseline\">Callback access allowed<br \/>\n<code style=\"font-size: 90%;\">SDDL_CALLBACK_ACCESS_ALLOWED<\/code><br \/>\n<code style=\"font-size: 90%;\">ACCESS_ALLOWED_CALLBACK_ACE_TYPE<\/code><\/td>\n<td rowspan=\"2\" valign=\"baseline\">Windows 7<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">XD<\/td>\n<td valign=\"baseline\">Callback access denied<br \/>\n<code style=\"font-size: 90%;\">SDDL_CALLBACK_ACCESS_DENIED<\/code><br \/>\n<code style=\"font-size: 90%;\">ACCESS_DENIED_CALLBACK_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RA<\/td>\n<td valign=\"baseline\">Resource attribute<br \/>\n<code style=\"font-size: 90%;\">SDDL_RESOURCE_ATTRIBUTE<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE<\/code><\/td>\n<td rowspan=\"4\" valign=\"baseline\">Windows 8<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SP<\/td>\n<td valign=\"baseline\">Scoped policy<br \/>\n<code style=\"font-size: 90%;\">SDDL_SCOPED_POLICY_ID<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_SCOPED_POLICY_ID_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">XU<\/td>\n<td valign=\"baseline\">Callback audit<br \/>\n<code style=\"font-size: 90%;\">SDDL_CALLBACK_AUDIT<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_AUDIT_CALLBACK_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">ZA<\/td>\n<td valign=\"baseline\">Callback object access allowed<br \/>\n<code style=\"font-size: 90%;\">SDDL_CALLBACK_OBJECT_ACCESS_ALLOWED<\/code><br \/>\n<code style=\"font-size: 90%;\">ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">TL<\/td>\n<td valign=\"baseline\">Process trust label<br \/>\n<code style=\"font-size: 90%;\">SDDL_PROCESS_TRUST_LABEL<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE<\/code><\/td>\n<td valign=\"baseline\">Windows 8.1<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">FL<\/td>\n<td valign=\"baseline\">Access filter<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACCESS_FILTER<\/code><br \/>\n<code style=\"font-size: 90%;\">SYSTEM_ACCESS_FILTER_ACE_TYPE<\/code><\/td>\n<td valign=\"baseline\">Windows 10<br \/>\nVersion 1703<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>SDDL Resource attribute ACE data types<\/b><\/p>\n<table class=\"cp3\" style=\"border-collapse: collapse;\" border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<th>Introduced<\/th>\n<\/tr>\n<tr>\n<td valign=\"baseline\">TI<\/td>\n<td valign=\"baseline\">Signed integer<br \/>\n<code style=\"font-size: 90%;\">SDDL_INT<\/code><br \/>\n<code style=\"font-size: 90%;\">CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64<\/code><\/td>\n<td rowspan=\"6\" valign=\"baseline\">Windows 8<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">TU<\/td>\n<td valign=\"baseline\">Unsigned integer<br \/>\n<code style=\"font-size: 90%;\">SDDL_UINT<\/code><br \/>\n<code style=\"font-size: 90%;\">CLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">TS<\/td>\n<td valign=\"baseline\">Wide string<br \/>\n<code style=\"font-size: 90%;\">SDDL_WSTRING<\/code><br \/>\n<code style=\"font-size: 90%;\">CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">TD<\/td>\n<td valign=\"baseline\">SID<br \/>\n<code style=\"font-size: 90%;\">SDDL_SID<\/code><br \/>\n<code style=\"font-size: 90%;\">CLAIM_SECURITY_ATTRIBUTE_TYPE_SID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">TX<\/td>\n<td valign=\"baseline\">Octet string<br \/>\n<code style=\"font-size: 90%;\">SDDL_BLOB<\/code><br \/>\n<code style=\"font-size: 90%;\">CLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">TB<\/td>\n<td valign=\"baseline\">Boolean<br \/>\n<code style=\"font-size: 90%;\">SDDL_BOOLEAN<\/code><br \/>\n<code style=\"font-size: 90%;\">CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>SDDL ACE flags<\/b><\/p>\n<table class=\"cp3\" style=\"border-collapse: collapse;\" border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<th>Introduced<\/th>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CI<\/td>\n<td valign=\"baseline\">Container inherit<br \/>\n<code style=\"font-size: 90%;\">SDDL_CONTAINER_INHERIT<\/code><br \/>\n<code style=\"font-size: 90%;\">CONTAINER_INHERIT_ACE<\/code><\/td>\n<td rowspan=\"7\" valign=\"baseline\">Windows 2000<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">OI<\/td>\n<td valign=\"baseline\">Object inherit<br \/>\n<code style=\"font-size: 90%;\">SDDL_OBJECT_INHERIT<\/code><br \/>\n<code style=\"font-size: 90%;\">OBJECT_INHERIT_ACE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">NP<\/td>\n<td valign=\"baseline\">Inherit no propagate<br \/>\n<code style=\"font-size: 90%;\">SDDL_NO_PROPAGATE<\/code><br \/>\n<code style=\"font-size: 90%;\">NO_PROPAGATE_INHERIT_ACE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">IO<\/td>\n<td valign=\"baseline\">Inherit only<br \/>\n<code style=\"font-size: 90%;\">SDDL_INHERIT_ONLY<\/code><br \/>\n<code style=\"font-size: 90%;\">INHERIT_ONLY_ACE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">ID<\/td>\n<td valign=\"baseline\">Inherited<br \/>\n<code style=\"font-size: 90%;\">SDDL_INHERITED<\/code><br \/>\n<code style=\"font-size: 90%;\">INHERITED_ACE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SA<\/td>\n<td valign=\"baseline\">Audit success<br \/>\n<code style=\"font-size: 90%;\">SDDL_AUDIT_SUCCESS<\/code><br \/>\n<code style=\"font-size: 90%;\">SUCCESSFUL_ACCESS_ACE_FLAG<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">FA<\/td>\n<td valign=\"baseline\">Audit failure<br \/>\n<code style=\"font-size: 90%;\">SDDL_AUDIT_FAILURE<\/code><br \/>\n<code style=\"font-size: 90%;\">FAILED_ACCESS_ACE_FLAG<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">TP<\/td>\n<td valign=\"baseline\">Trust protected filter<br \/>\n<code style=\"font-size: 90%;\">SDDL_TRUST_PROTECTED_FILTER<\/code><br \/>\n<code style=\"font-size: 90%;\">TRUST_PROTECTED_FILTER_ACE_FLAG<\/code><\/td>\n<td valign=\"baseline\">Windows 10<br \/>\nVersion 1703<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CR<\/td>\n<td valign=\"baseline\">Critical<br \/>\n<code style=\"font-size: 90%;\">SDDL_CRITICAL<\/code><br \/>\n<code style=\"font-size: 90%;\">CRITICAL_ACE_FLAG<\/code><\/td>\n<td valign=\"baseline\">Windows 10<br \/>\nVersion 1809<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>SDDL access rights<\/b><\/p>\n<table class=\"cp3\" style=\"border-collapse: collapse;\" border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<th>Applies to<\/th>\n<th>Introduced<\/th>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RP<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">ACTRL_DS_READ_PROP<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_READ_PROPERTY<\/code><\/td>\n<td rowspan=\"9\" valign=\"baseline\">Directory<br \/>\nservices<\/td>\n<td rowspan=\"25\" valign=\"baseline\">Windows 2000<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">WP<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">ACTRL_DS_WRITE_PROP<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_WRITE_PROPERTY<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CC<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">ACTRL_DS_CREATE_CHILD<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_CREATE_CHILD<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">DC<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">ACTRL_DS_DELETE_CHILD<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_DELETE_CHILD<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">LC<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">ACTRL_DS_LIST<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_LIST_CHILDREN<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SW<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">ACTRL_DS_SELF<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_SELF_WRITE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">LO<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">ACTRL_DS_LIST_OBJECT<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_LIST_OBJECT<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">DT<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">ACTRL_DS_DELETE_TREE<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_DELETE_TREE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CR<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">ACTRL_DS_CONTROL_ACCESS<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_CONTROL_ACCESS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RC<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">READ_CONTROL<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_READ_CONTROL<\/code><\/td>\n<td rowspan=\"8\" valign=\"baseline\">Anything<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">WD<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">WRITE_DAC<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_WRITE_DAC<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">WO<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">WRITE_OWNER<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_WRITE_OWNER<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SD<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">DELETE<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_STANDARD_DELETE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">GA<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">GENERIC_ALL<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_GENERIC_ALL<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">GR<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">GENERIC_READ<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_GENERIC_READ<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">GW<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">GENERIC_WRITE<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_GENERIC_WRITE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">GX<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">GENERIC_EXECUTE<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_GENERIC_EXECUTE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">FA<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">FILE_ALL_ACCESS<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_FILE_ALL<\/code><\/td>\n<td rowspan=\"4\" valign=\"baseline\">Files and<br \/>\nfolders<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">FR<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">FILE_GENERIC_READ<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_FILE_READ<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">FW<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">FILE_GENERIC_WRITE<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_FILE_WRITE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">FX<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">FILE_GENERIC_EXECUTE<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_FILE_EXECUTE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">KA<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">KEY_ALL_ACCESS<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_KEY_ALL<\/code><\/td>\n<td rowspan=\"4\" valign=\"baseline\">Registry<br \/>\nkeys<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">KR<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">KEY_READ<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_KEY_READ<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">KW<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">KEY_WRITE<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_KEY_WRITE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">KX<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">KEY_EXECUTE<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_KEY_EXECUTE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">NW<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">SYSTEM_MANDATORY_LABEL_NO_WRITE_UP<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_NO_WRITE_UP<\/code><\/td>\n<td rowspan=\"3\" valign=\"baseline\">Mandatory<br \/>\nlabel ACE<\/td>\n<td rowspan=\"3\" valign=\"baseline\">Windows 7<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">NR<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">SYSTEM_MANDATORY_LABEL_NO_READ_UP<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_NO_READ_UP<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">NX<\/td>\n<td valign=\"baseline\"><code style=\"font-size: 90%;\">SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_NO_EXECUTE_UP<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>SDDL users and groups<\/b><\/p>\n<table class=\"cp3\" style=\"border-collapse: collapse;\" border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Tag<\/th>\n<th>Meaning<\/th>\n<th>Introduced<\/th>\n<\/tr>\n<tr>\n<td valign=\"baseline\">DA<\/td>\n<td valign=\"baseline\">Domain admins<br \/>\n<code style=\"font-size: 90%;\">SDDL_DOMAIN_ADMINISTRATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_ADMINS<\/code><\/td>\n<td rowspan=\"33\" valign=\"baseline\">Windows 2000<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">DG<\/td>\n<td valign=\"baseline\">Domain guests<br \/>\n<code style=\"font-size: 90%;\">SDDL_DOMAIN_GUESTS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_GUESTS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">DU<\/td>\n<td valign=\"baseline\">Domain users<br \/>\n<code style=\"font-size: 90%;\">SDDL_DOMAIN_USERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_USERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">ED<\/td>\n<td valign=\"baseline\">Enterprise domain controllers<br \/>\n<code style=\"font-size: 90%;\">SDDL_ENTERPRISE_DOMAIN_CONTROLLERS<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_SERVER_LOGON_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">DD<\/td>\n<td valign=\"baseline\">Domain domain controllers<br \/>\n<code style=\"font-size: 90%;\">SDDL_DOMAIN_DOMAIN_CONTROLLERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_CONTROLLERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">DC<\/td>\n<td valign=\"baseline\">Domain computers<br \/>\n<code style=\"font-size: 90%;\">SDDL_DOMAIN_COMPUTERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_COMPUTERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">BA<\/td>\n<td valign=\"baseline\">Local administrators<br \/>\n<code style=\"font-size: 90%;\">SDDL_BUILTIN_ADMINISTRATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_ADMINS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">BG<\/td>\n<td valign=\"baseline\">Local guests<br \/>\n<code style=\"font-size: 90%;\">SDDL_BUILTIN_GUESTS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_GUESTS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">BU<\/td>\n<td valign=\"baseline\">Local users<br \/>\n<code style=\"font-size: 90%;\">SDDL_BUILTIN_USERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_USERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">LA<\/td>\n<td valign=\"baseline\">Local administrator account<br \/>\n<code style=\"font-size: 90%;\">SDDL_LOCAL_ADMIN<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_USER_RID_ADMIN<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">LG<\/td>\n<td valign=\"baseline\">Local guest account<br \/>\n<code style=\"font-size: 90%;\">SDDL_LOCAL_GUEST<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_USER_RID_GUEST<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AO<\/td>\n<td valign=\"baseline\">Account operators<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACCOUNT_OPERATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_ACCOUNT_OPS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">BO<\/td>\n<td valign=\"baseline\">Backup operators<br \/>\n<code style=\"font-size: 90%;\">SDDL_BACKUP_OPERATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_BACKUP_OPS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">PO<\/td>\n<td valign=\"baseline\">Printer operators<br \/>\n<code style=\"font-size: 90%;\">SDDL_PRINTER_OPERATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_PRINT_OPS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SO<\/td>\n<td valign=\"baseline\">Server operators<br \/>\n<code style=\"font-size: 90%;\">SDDL_SERVER_OPERATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_SYSTEM_OPS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AU<\/td>\n<td valign=\"baseline\">Authenticated users<br \/>\n<code style=\"font-size: 90%;\">SDDL_AUTHENTICATED_USERS<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_AUTHENTICATED_USER_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">PS<\/td>\n<td valign=\"baseline\">Personal self<br \/>\n<code style=\"font-size: 90%;\">SDDL_PERSONAL_SELF<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_PRINCIPAL_SELF_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CO<\/td>\n<td valign=\"baseline\">Creator owner<br \/>\n<code style=\"font-size: 90%;\">SDDL_CREATOR_OWNER<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_CREATOR_OWNER_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CG<\/td>\n<td valign=\"baseline\">Creator group<br \/>\n<code style=\"font-size: 90%;\">SDDL_CREATOR_GROUP<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_CREATOR_GROUP_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SY<\/td>\n<td valign=\"baseline\">Local system<br \/>\n<code style=\"font-size: 90%;\">SDDL_LOCAL_SYSTEM<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_LOCAL_SYSTEM_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">PU<\/td>\n<td valign=\"baseline\">Power users<br \/>\n<code style=\"font-size: 90%;\">SDDL_POWER_USERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_POWER_USERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">WD<\/td>\n<td valign=\"baseline\">Everyone (World)<br \/>\n<code style=\"font-size: 90%;\">SDDL_EVERYONE<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_WORLD_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RE<\/td>\n<td valign=\"baseline\">Replicator<br \/>\n<code style=\"font-size: 90%;\">SDDL_REPLICATOR<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_REPLICATOR<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">IU<\/td>\n<td valign=\"baseline\">Interactive logon user<br \/>\n<code style=\"font-size: 90%;\">SDDL_INTERACTIVE<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_INTERACTIVE_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">NU<\/td>\n<td valign=\"baseline\">Nework logon user<br \/>\n<code style=\"font-size: 90%;\">SDDL_NETWORK<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_NETWORK_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SU<\/td>\n<td valign=\"baseline\">Service logon user<br \/>\n<code style=\"font-size: 90%;\">SDDL_SERVICE<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_SERVICE_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RC<\/td>\n<td valign=\"baseline\">Restricted code<br \/>\n<code style=\"font-size: 90%;\">SDDL_RESTRICTED_CODE<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_RESTRICTED_CODE_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SA<\/td>\n<td valign=\"baseline\">Schema administrators<br \/>\n<code style=\"font-size: 90%;\">SDDL_SCHEMA_ADMINISTRATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_SCHEMA_ADMINS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CA<\/td>\n<td valign=\"baseline\">Certificate server administrators<br \/>\n<code style=\"font-size: 90%;\">SDDL_CERT_SERV_ADMINISTRATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_CERT_ADMINS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RS<\/td>\n<td valign=\"baseline\">RAS servers group<br \/>\n<code style=\"font-size: 90%;\">SDDL_RAS_SERVERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_RAS_SERVERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">EA<\/td>\n<td valign=\"baseline\">Enterprise administrators<br \/>\n<code style=\"font-size: 90%;\">SDDL_ENTERPRISE_ADMINS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_ENTERPRISE_ADMINS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">PA<\/td>\n<td valign=\"baseline\">Group Policy administrators<br \/>\n<code style=\"font-size: 90%;\">SDDL_GROUP_POLICY_ADMINS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_POLICY_ADMINS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RU<\/td>\n<td valign=\"baseline\">Compatibility for pre-Windows 2000 accounts<br \/>\n<code style=\"font-size: 90%;\">SDDL_ALIAS_PREW2KCOMPACC<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_PREW2KCOMPACCESS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AN<\/td>\n<td valign=\"baseline\">Anonymous logon<br \/>\n<code style=\"font-size: 90%;\">SDDL_ANONYMOUS<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_ANONYMOUS_LOGON_RID<\/code><\/td>\n<td rowspan=\"7\" valign=\"baseline\">Windows XP<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">LS<\/td>\n<td valign=\"baseline\">Local service account<br \/>\n<code style=\"font-size: 90%;\">SDDL_LOCAL_SERVICE<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_LOCAL_SERVICE_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">NS<\/td>\n<td valign=\"baseline\">Network service account<br \/>\n<code style=\"font-size: 90%;\">SDDL_NETWORK_SERVICE<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_NETWORK_SERVICE_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RD<\/td>\n<td valign=\"baseline\">Remote desktop users<br \/>\n<code style=\"font-size: 90%;\">SDDL_REMOTE_DESKTOP<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">NO<\/td>\n<td valign=\"baseline\">Network configuration operators<br \/>\n<code style=\"font-size: 90%;\">SDDL_NETWORK_CONFIGURATION_OPS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">MU<\/td>\n<td valign=\"baseline\">Performance Monitor users<br \/>\n<code style=\"font-size: 90%;\">SDDL_PERFMON_USERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_MONITORING_USERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">LU<\/td>\n<td valign=\"baseline\">Performance Log users<br \/>\n<code style=\"font-size: 90%;\">SDDL_PERFLOG_USERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_LOGGING_USERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">WR<\/td>\n<td valign=\"baseline\">Write Restricted code<br \/>\n<code style=\"font-size: 90%;\">SDDL_WRITE_RESTRICTED_CODE<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_WRITE_RESTRICTED_CODE_RID<\/code><\/td>\n<td rowspan=\"4\" valign=\"baseline\">Windows Vista<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">IS<\/td>\n<td valign=\"baseline\">Anonymous Internet users<br \/>\n<code style=\"font-size: 90%;\">SDDL_IIS_USERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_IUSERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CY<\/td>\n<td valign=\"baseline\">Crypto operators<br \/>\n<code style=\"font-size: 90%;\">SDDL_CRYPTO_OPERATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_CRYPTO_OPERATORS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">OW<\/td>\n<td valign=\"baseline\">Owner Rights SID<br \/>\n<code style=\"font-size: 90%;\">SDDL_OWNER_RIGHTS<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_CREATOR_OWNER_RIGHTS_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RM<\/td>\n<td valign=\"baseline\">RMS service operators<br \/>\n<code style=\"font-size: 90%;\">SDDL_RMS_SERVICE_OPERATORS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_RMS_SERVICE_OPERATORS<\/code><\/td>\n<td valign=\"baseline\">Windows Vista<br \/>\nRemoved in Win7<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">ER<\/td>\n<td valign=\"baseline\">Event log readers<br \/>\n<code style=\"font-size: 90%;\">SDDL_EVENT_LOG_READERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP<\/code><\/td>\n<td rowspan=\"3\" valign=\"baseline\">Windows 7<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RO<\/td>\n<td valign=\"baseline\">Enterprise read-only domain controllers<br \/>\n<code style=\"font-size: 90%;\">SDDL_ENTERPRISE_RO_DCs<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CD<\/td>\n<td valign=\"baseline\">Can connect to certification authorities using DCOM<br \/>\n<code style=\"font-size: 90%;\">SDDL_CERTSVC_DCOM_ACCESS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AC<\/td>\n<td valign=\"baseline\">All applications running in an app package context<br \/>\n<code style=\"font-size: 90%;\">SDDL_ALL_APP_PACKAGES<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE<\/code><\/td>\n<td rowspan=\"11\" valign=\"baseline\">Windows 8<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RA<\/td>\n<td valign=\"baseline\">RDS remote access servers<br \/>\n<code style=\"font-size: 90%;\">SDDL_RDS_REMOTE_ACCESS_SERVERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">ES<\/td>\n<td valign=\"baseline\">Endpoint servers<br \/>\n<code style=\"font-size: 90%;\">SDDL_RDS_ENDPOINT_SERVERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">MS<\/td>\n<td valign=\"baseline\">Management servers<br \/>\n<code style=\"font-size: 90%;\">SDDL_RDS_MANAGEMENT_SERVERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_RDS_MANAGEMENT_SERVERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">UD<\/td>\n<td valign=\"baseline\">User-mode driver<br \/>\n<code style=\"font-size: 90%;\">SDDL_USER_MODE_DRIVERS<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_USERMODEDRIVERHOST_ID_BASE_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">HA<\/td>\n<td valign=\"baseline\">Hyper-V administrators<br \/>\n<code style=\"font-size: 90%;\">SDDL_HYPER_V_ADMINS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_HYPER_V_ADMINS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">CN<\/td>\n<td valign=\"baseline\">Domain controllers which may be cloned<br \/>\n<code style=\"font-size: 90%;\">SDDL_CLONEABLE_CONTROLLERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AA<\/td>\n<td valign=\"baseline\">Access control assistant operators<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACCESS_CONTROL_ASSISTANCE_OPS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">RM<\/td>\n<td valign=\"baseline\">Remote management users<br \/>\n<code style=\"font-size: 90%;\">SDDL_REMOTE_MANAGEMENT_USERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_ALIAS_RID_REMOTE_MANAGEMENT_USERS<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AS<\/td>\n<td valign=\"baseline\">Authentication Authority Asserted<br \/>\n<code style=\"font-size: 90%;\">SDDL_AUTHORITY_ASSERTED<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_AUTHENTICATION_AUTHORITY_ASSERTED_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SS<\/td>\n<td valign=\"baseline\">Authentication Service Asserted<br \/>\n<code style=\"font-size: 90%;\">SDDL_SERVICE_ASSERTED<\/code><br \/>\n<code style=\"font-size: 90%;\">SECURITY_AUTHENTICATION_SERVICE_ASSERTED_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">AP<\/td>\n<td valign=\"baseline\"><a href=\"https:\/\/docs.microsoft.com\/windows-server\/security\/credentials-protection-and-management\/protected-users-security-group\">Protected users<\/a><br \/>\n<code style=\"font-size: 90%;\">SDDL_PROTECTED_USERS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_PROTECTED_USERS<\/code><\/td>\n<td valign=\"baseline\">Windows 8.1<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">KA<\/td>\n<td valign=\"baseline\">Domain key credential administrators<br \/>\n<code style=\"font-size: 90%;\">SDDL_KEY_ADMINS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_KEY_ADMINS<\/code><\/td>\n<td rowspan=\"2\" valign=\"baseline\">Windows 10<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">EK<\/td>\n<td valign=\"baseline\">Enterprise key credential administrators<br \/>\n<code style=\"font-size: 90%;\">SDDL_ENTERPRISE_KEY_ADMINS<\/code><br \/>\n<code style=\"font-size: 90%;\">DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&#8220;RM&#8221; is the only case I can find of something being <i>removed<\/i> from SDDL.<\/p>\n<p><b>SDDL integrity labels<\/b><\/p>\n<table class=\"cp3\" style=\"border-collapse: collapse;\" border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Code<\/th>\n<th>Meaning<\/th>\n<th>Introduced<\/th>\n<\/tr>\n<tr>\n<td valign=\"baseline\">LW<\/td>\n<td valign=\"baseline\">Low mandatory level<br \/>\n<code style=\"font-size: 90%;\">SECURITY_MANDATORY_LOW_RID<\/code><\/td>\n<td rowspan=\"2\" valign=\"baseline\">Windows Vista<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">ME<\/td>\n<td valign=\"baseline\">Medium mandatory level<br \/>\n<code style=\"font-size: 90%;\">SECURITY_MANDATORY_MEDIUM_RID<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">MP<\/td>\n<td valign=\"baseline\">Medium Plus mandatory level<br \/>\n<code style=\"font-size: 90%;\">SECURITY_MANDATORY_MEDIUM_PLUS_RID<\/code><\/td>\n<td valign=\"baseline\">Windows 7<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">HI<\/td>\n<td valign=\"baseline\">High mandatory level<br \/>\n<code style=\"font-size: 90%;\">SECURITY_MANDATORY_HIGH_RID<\/code><\/td>\n<td rowspan=\"2\" valign=\"baseline\">Windows Vista<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">SI<\/td>\n<td valign=\"baseline\">System mandatory level<br \/>\n<code style=\"font-size: 90%;\">SECURITY_MANDATORY_SYSTEM_RID<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>SDDL syntax elements<\/b><\/p>\n<table class=\"cp3\" style=\"border-collapse: collapse;\" border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<th>Syntax<\/th>\n<th>Meaning<\/th>\n<th>Introduced<\/th>\n<\/tr>\n<tr>\n<td valign=\"baseline\">semicolon<\/td>\n<td valign=\"baseline\">Separates elements inside an ACE<br \/>\n<code style=\"font-size: 90%;\">SDDL_SEPERATOR<\/code><\/td>\n<td rowspan=\"3\" valign=\"baseline\">Windows 2000<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">colon<\/td>\n<td valign=\"baseline\">Delimits SD components<br \/>\n<code style=\"font-size: 90%;\">SDDL_DELIMINATOR<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">parentheses<\/td>\n<td valign=\"baseline\">Enclose an ACE<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_BEGIN<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_END<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">parentheses<\/td>\n<td valign=\"baseline\">Enclose a conditional ACE expression<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_COND_BEGIN<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_COND_END<\/code><\/td>\n<td rowspan=\"4\" valign=\"baseline\">Windows 7<\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">curly braces<\/td>\n<td valign=\"baseline\">Enclose a comma-separated list of SIDs<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_COND_COMPOSITEVALUE_BEGIN<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_COND_COMPOSITEVALUE_SEPERATOR<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_COND_COMPOSITEVALUE_END<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">number sign<\/td>\n<td valign=\"baseline\">Hexadecimal byte data<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_COND_BLOB_PREFIX<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"baseline\">parentheses<\/td>\n<td valign=\"baseline\">Enclose a string SID in a SID list<br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_COND_SID_BEGIN<\/code><br \/>\n<code style=\"font-size: 90%;\">SDDL_ACE_COND_SID_END<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>I like how &#8220;separator&#8221; and &#8220;delimiter&#8221; are misspelled.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Things come, and rarely go.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[104],"class_list":["post-106640","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-tipssupport"],"acf":[],"blog_post_summary":"<p>Things come, and rarely go.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/106640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=106640"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/106640\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=106640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=106640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=106640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}