How to build a SDDL string and set service permissions

Posted by

In my example I have a service that needs administrative permissions to start, restart and stop, I need to be able to do this as a normal user, without elevate myself, is there any way to do this?

Sure you say why don’t you use the “Computer Configuration\Policies\Windows Settings\Security Settings\System Services” Group policy settings for that? Well, in my case I just can’t, so how do I do?

First we will use the command SC.exe and the parameter SDSHOW and SDSET and we also need some knowledge to SDDL.

SC is a command line program used for communicating with the Service Control Manager and services. And the parameters SDSHOW will display the security descriptor of a service and SDSET will help to set a new one.

We will use the service BITS, Background Intelligent Transfer Service, as an example. As you understand you should not change these permissions in any production environment, this is only used for educational purpose.

First to demonstrate the error message the occurs

And now run the command SC.exe SDSHOW bits to get the current security descriptor.

This looks like a foreign language to most people, what is this? This is the SDDL, Security Descriptor Definition Language, simply explained by what permissions a certain user/group/system will have and is explained on MSDN:

Let’s try to break this down a bit. The format of the SDDL is described like this


So if we look at the first paragraph (A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

The first is explained by ACE type


The second two letters is the ACE flags


CCDCLCSWRPWPDTLOCRSDRCWDWO indicates what specific rights that will be delegated and needs to break down a little bit more


Etcetera, look at the rights table at this page: and for explanations

The last SY is a SID String and means SDDL_LOCAL_SYSTEM and corresponding RID is SECURITY_LOCAL_SYSTEM_RID

This wasn’t that hard, right? So let’s find out how to build this string for us. We need permissions somewhere between what an interactive user (IU) and the built in administrators (BA)

Built in Administrators = (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)

Interactive Users = (A;;CCLCSWLOCRRC;;;IU)

That gives me something like (A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU) where BU stands for Built in Users.

We will add this string to the original string before the S: in the end. This means


Equals this command to set the permission


Verify the settings

And finally try to start and stop the service with normal user permission and it works like a charm


  1. Great article. If you would like to accomplish the same result, but without having to learn SDDL syntax or make potentially breaking changes to systems and have even more control using a web interface, I would invite you take a look at System Frontier.


Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.