💧 SDDL — Save your tears for another day How many times have you strained your eyes trying to understand ACL in Windows? For example O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) means 1️⃣ O:BA - Owner "Built-in administrators" 2️⃣ G:SY - Group "Local System" 3️⃣ Last part - DACL. Let's decrypt some part of DACL (A;;0x7;;;BA) -- ACCESS ALLOWED for "Built-in administrators" to CreateDirectories, ListDirectory, WriteData (see this post to deep dive in SDDL format) If you are not a professional SDDL understander then just use the ConvertFrom-SddlString cmdlet, which was introduced in PowerShell 5.0. We can also expand the hardest part - DACL like this ConvertFrom-SddlString "O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)" | Select -Expand DiscretionaryAcl In case you are PowerShell-hater, use this or this tool. #windows #sddl