An Sddl is a Security Descriptor Definition Language string – https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language – that provides a succinct way to provides the security descriptor of an object as a string. An example Sddl would be
O:BAG:S-1-5-21-437587817-63618879-1935034000-1001D:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)
Now I’m sure that’s totally clear to everyone but just in case you can’t decode it PowerShell has a cmdlet – ConvertFrom-SddlString – that can help.
(Get-Acl -Path C:\test\erorfile.txt).Sddl | ConvertFrom-SddlString -Type FileSystemRights
If you want the output to be more readable try
((Get-Acl -Path C:\test\erorfile.txt).Sddl |
ConvertFrom-SddlString -Type FileSystemRights |
Select-Object -ExpandProperty DiscretionaryAcl) -split ‘:’
ConvertFrom-Sddl can work with permissions from file system, registry and Active Directory among others