Win32_SecurityDescriptor

The Win32_SecurityDescriptor abstract WMI class represents a SECURITY_DESCRIPTOR structure. A security descriptor contains the security information for a securable object. The Owner and Group prope...

The Win32_SecurityDescriptor abstract WMI class represents a SECURITY_DESCRIPTOR structure. A security descriptor contains the security information for a securable object. The Owner and Group properties identify the owner and primary group for the object. It can also contain a <em>discretionary access control list (DACL)</em> that controls access to the object and a <em>system access control list (SACL)</em> that controls the logging of attempts to access the object.

Methods

Win32_SecurityDescriptor has no methods.

Properties

Win32_SecurityDescriptor returns 6 properties:

'ControlFlags','DACL','Group','Owner','SACL','TIME_CREATED'

Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:

Get-CimInstance -ClassName Win32_SecurityDescriptor -Property *

Most WMI classes return one or more instances.

When Get-CimInstance returns no result, then apparently no instances of class Win32_SecurityDescriptor exist. This is normal behavior.

Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).

ControlFlags

UINT32

Control bits that qualify the meaning of a security descriptor (SD) or its individual members. See the Remarks section of this topic for information about setting the ControlFlags value. The following list lists the flags in ControlFlags. For more information, see SECURITY_DESCRIPTOR_CONTROL.

Indicates an SD with a default owner security identifier (SID). Use this bit to find all of the objects that have default owner permissions set.

Indicates an SD with a default group SID. Use this bit to find all of the objects that have default group permissions set.

Indicates an SD that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the SD allows full access to everyone.

Indicates an SD with a default DACL. For example, if an object creator does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL, with respect to access control entry (ACE) inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.

Indicates an SD that has a system access control list (SACL).

Indicates an SD with a default SACL. For example, if an object creator does not specify an SACL, the object receives the default SACL from the access token of the creator. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set.

Requests that the provider for the object protected by the SD automatically propagate the DACL to existing child objects. If the provider supports automatic inheritance, the DACL is propagated to any existing child objects, and the SE_DACL_AUTO_INHERITED bit in the SD of the parent and child objects is set.

Requests that the provider for the object protected by the SD automatically propagate the SACL to existing child objects. If the provider supports automatic inheritance, the SACL is propagated to any existing child objects, and the SE_SACL_AUTO_INHERITED bit in the SDs of the parent object and child objects is set.

Indicates an SD in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects.

Indicates an SD in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects.

Prevents the DACL of an SD from being modified by inheritable ACEs.

Prevents the SACL of an SD from being modified by inheritable ACEs.

Indicates an SD in self-relative format with all the security information in a contiguous block of memory. If this flag is not set, the SD is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors.

Get-CimInstance -ClassName Win32_SecurityDescriptor | Select-Object -Property ControlFlags

DACL

WRITEABLE WIN32_ACE ARRAY

Each array entry defines the type of object access that the system grants to a specific user or group. For more information about security for access control lists (ACL), see Access Control Lists and Creating a DACL.

Get-CimInstance -ClassName Win32_SecurityDescriptor | Select-Object -Property DACL

Group

WRITEABLE WIN32_TRUSTEE

Group that owns this object.

Get-CimInstance -ClassName Win32_SecurityDescriptor | Select-Object -Property Group

Owner

WRITEABLE WIN32_TRUSTEE

Owner of an object.

Get-CimInstance -ClassName Win32_SecurityDescriptor | Select-Object -Property Owner

SACL

WRITEABLE WIN32_ACE ARRAY

Each array entry defines the type of access attempts that generate audit records for a specific user or group.

Get-CimInstance -ClassName Win32_SecurityDescriptor | Select-Object -Property SACL

TIME_CREATED

UINT64

Time in the CIM_DATETIME format when the security descriptor was created.

Get-CimInstance -ClassName Win32_SecurityDescriptor | Select-Object -Property TIME_CREATED

Examples

List all instances of Win32_SecurityDescriptor
Get-CimInstance -ClassName Win32_SecurityDescriptor

Learn more about Get-CimInstance and the deprecated Get-WmiObject.

View all properties
Get-CimInstance -ClassName Win32_SecurityDescriptor -Property *
View key properties only
Get-CimInstance -ClassName Win32_SecurityDescriptor -KeyOnly

Selecting Properties

To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.

Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.

Selecting Properties

The code below lists all available properties. Remove the ones you do not need:

$properties = 'ControlFlags',
              'DACL',
              'Group',
              'Owner',
              'SACL',
              'TIME_CREATED'
Get-CimInstance -ClassName Win32_SecurityDescriptor | Select-Object -Property $properties
Limiting Network Bandwidth

If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:

Get-CimInstance -Class Win32_SecurityDescriptor -Property $property | 
Select-Object -Property $property

Selecting Instances

To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).

The parameter -Filter runs a simple query.

Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class Win32_SecurityDescriptor -Filter 'Caption LIKE "a%"' 
Using a WQL Query

The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:

Get-CimInstance -Query "SELECT SACL, TIME_CREATED, DACL, Owner FROM Win32_SecurityDescriptor WHERE Caption LIKE 'a%'"

Any property you did not specify is still present but empty. You might need to use Select-Object to remove all unwanted properties:

Get-CimInstance -Query "SELECT SACL, TIME_CREATED, DACL, Owner FROM Win32_SecurityDescriptor WHERE Caption LIKE 'a%'" | Select-Object -Property SACL, TIME_CREATED, DACL, Owner

Accessing Remote Computers

To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.

Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with your current identity:
$result = Get-CimInstance -ClassName Win32_SecurityDescriptor -ComputerName $list 
$result
Authenticating as Different User

Use a CIMSession object to authenticate with a new identity:

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred

$result = Get-CimInstance Win32_SecurityDescriptor -CimSession $session

# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session

$result

Learn more about accessing remote computers.

Requirements

To use Win32_SecurityDescriptor, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

Win32_SecurityDescriptor was introduced on clients with Windows Vista and on servers with Windows Server 2008.

Namespace

Win32_SecurityDescriptor lives in the Namespace Root/CIMV2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.

Implementation

Win32_SecurityDescriptor is implemented in CIMWin32.dll and defined in Secrcw32.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\Secrcw32.mof