How to Set Permissions Using SDDL Strings in Batch Script

Setting complex NTFS permissions usually involves running multiple icacls commands to grant or deny access to various users. This process is time-consuming and prone to human error. However, there is a much faster and more professional method: using SDDL (Security Descriptor Definition Language) strings.

An SDDL string is a compact, single-line representation of a DACL (Discretionary Access Control List) configuration. By using the icacls /restore command, you can apply these complex strings to a file or folder in a single operation.

In this guide, we will demonstrate how to pack your desired permissions into an SDDL file and apply them using a Batch script.

The Strategy: The Two-Step Restore

Because icacls expects a specific file format for restoration, we write our SDDL string into a temporary text file and then tell icacls to "restore" the security state from that file.

Implementation Script

In this example, we will set a folder to have a very specific security profile: Only Administrators have Full Control, and the SYSTEM account has Full Control. Everyone else is locked out.

The SDDL for this is: D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)

@echo off
setlocal

set "targetDir=C:\ProtectedData"
set "sddlFile=%TEMP%\sddl_template.txt"

:: 1. Create the target directory if it doesn't exist
if not exist "%targetDir%" mkdir "%targetDir%"

echo Preparing SDDL permission template...

:: 2. Build the SDDL file
::    icacls /restore expects a two-line format:
::    Line 1: The name of the target (relative to the parent path passed to icacls)
::    Line 2: The DACL string in SDDL format
for %%F in ("%targetDir%") do set "folderName=%%~nxF"

> "%sddlFile%" echo %folderName%
>> "%sddlFile%" echo D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)

echo Applying SDDL permissions to %targetDir%...

:: 3. Restore permissions from the template
::    The path must be the PARENT directory of the target folder
for %%F in ("%targetDir%") do icacls "%%~dpF" /restore "%sddlFile%"

if %ERRORLEVEL% EQU 0 (
    echo.
    echo [SUCCESS] Permissions applied via SDDL.
) else (
    echo.
    echo [ERROR] Failed to apply SDDL. Ensure you are running as Administrator.
)

:: 4. Cleanup
del "%sddlFile%" 2>nul

endlocal
pause

Anatomy of the SDDL Input File

To make /restore work, your text file MUST follow this exact structure:

FolderName
D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)

Line 1: The name of the file or folder (relative to the path you specify in the command).
Line 2: The DACL string in SDDL format.

Common Useful SDDL Strings

If you want to quickly build your own scripts, here are some common SDDL snippets:

Security Goal	SDDL DACL Segment
Full Control (Admins)	`(A;OICI;FA;;;BA)`
Full Control (SYSTEM)	`(A;OICI;FA;;;SY)`
Read-Only (Everyone)	`(A;OICI;FR;;;WD)`
Modify (Authenticated Users)	`(A;OICI;0x1301bf;;;AU)`

note

(OICI) ensures inheritance to objects and subcontainers.

For permission levels that do not have a standard two-letter SDDL abbreviation (like Modify), the rights portion is expressed as a hexadecimal access mask. The most reliable way to obtain the correct SDDL string for any permission level is to configure the desired permissions on a reference folder using icacls /grant, then capture the result with icacls /save.

Advantages of the SDDL Method

1. Speed

Applying one SDDL string is exponentially faster than running ten separate icacls /grant and icacls /deny commands. For a directory tree with thousands of files, this can save minutes of execution time.

2. Consistency

Once you have defined a "Gold Standard" SDDL string for your application's data folder, you know it will be identical on every machine where your Batch script runs.

3. Single Operation

Replacing the entire DACL in one step avoids the risk of a partially configured state. When you build an ACL through a sequence of individual /grant and /deny commands, an interruption or error partway through leaves the folder with incomplete permissions. A single /restore operation applies all permission entries at once.

Best Practices

warning

Running as Administrator: Setting permissions via SDDL is a high-level system operation. Your Batch script MUST be run with administrative privileges, or the icacls /restore command will return "Access Denied."

Backup First: Before applying a new SDDL string to an existing folder, use icacls "Folder" /save "Backup.txt" so you can undo the change if needed.
Use Relative Paths: Keep your SDDL files generic by using relative paths so they can be applied to different drive letters or root directories.
Validate Your SDDL: If you have a typo in your string, icacls will return a "Parameter is incorrect" error. Double-check your parentheses!
Generate Templates from Reference Folders: Rather than manually writing SDDL strings, configure the desired permissions on a reference folder and capture the result with icacls /save. This ensures the SDDL syntax is correct and the file is in the encoding that /restore expects.

Conclusion

Using SDDL strings is the "Pro Mode" of Batch permission management. It allows you to package complex, multi-user security policies into a single line of text and apply them with a single command. By moving away from dozens of /grant commands and toward a unified SDDL restore, you make your deployment and maintenance scripts cleaner, faster, and more professional.

The Strategy: The Two-Step Restore​

Implementation Script​

Anatomy of the SDDL Input File​

Common Useful SDDL Strings​

Advantages of the SDDL Method​

1. Speed​

2. Consistency​

3. Single Operation​

Best Practices​

Conclusion​

Table of Contents