← All labs
ACL & SDDL Lab
Paste SDDL or pick samples, then see owner, DACL, SACL, and ACE meaning in plain language.
SDDL input
Security Descriptor Definition Language — what icacls /q prints for advanced ACL views.
Parsed components
- Owner (O:)
- SY
- Group (G:)
- SY
- DACL (D:)
- D:
- SACL (S:)
- Not present
Access control entries (ACEs)
Order matters: Windows walks the DACL; deny ACEs for your SID block even if a later allow exists (when deny applies first).
| Effect | Trustee | Rights | Raw |
|---|---|---|---|
| Allow | BA(Built-in Administrators) | FA | (A;ID;FA;;;BA) |
| Allow | SY(Local System) | FA | (A;ID;FA;;;SY) |
| Allow | AU(Authenticated Users) | 0x1301bf | (A;ID;0x1301bf;;;AU) |
| Allow | BA(Built-in Administrators) | FA | (A;ID;FA;;;BA) |
On a Windows machine (PowerShell)
These steps run locally — the browser lab above is for learning; Windows tools show the real system behavior.
- 1
icacls C:\Windows\System32 | more - 2
icacls %USERPROFILE%\Desktop\sample.txt - 3
icacls sample.txt /save acl.txt - 4
icacls sample.txt /setacl acl.txt