Does anybody know how to translate Windows SDDL strings into Human readable format?

Question

I have been recently trying to complete an audit on printers.

After completing a small slice of the work by manually putting in all the information into excel and almost losing my mind, I decided to take a different approach and learn how to use powershell to save time and effort, and also prepare a much more accurate and clean document in a considerably shorter time span. I only have one problem...90% of the information is incredibly accurate, apart from the SDDL strings, which were quite cryptic.

I learned that there exists a way to translate them, via the ConvertFrom-SddlString function, but the output is still lacking the essential information I need:

• Group or Username (Example: Everyone; John Doe; All Application Packages; CREATOR OWNER; Admins; etc..)
• Permissions (Print, Manage this printer, Manage Documents, or any combination of these)

Example of the output I was trying to achieve from the SDDL strings: "[Everybody: Print; All Application Packages: Manage Documents; CREATOR OWNER: Print, Manage Documents; AdminY: Print, Manage documents, Manage this printer; AdminX: Print, Manage this printer]"

The ConvertFrom-AddlString seems to be lacking some groups, and also doesn't tell you some permissions. I tried manually writing a parser for the sddl string in powershell, but being a newbie in powershell I am finding myself quite lost.

I have scoured the internet looking for a function or some code that might be able to do just that but to no avail, and we are severely limited in programming within the company, so I cannot use any other programming languages I know to help me out.

Does anyone know if there is a way to translate the SDDL strings in a more reliable/accurate manner?

    $allprintservers = (Get-ADObject -LDAPFilter "(.......)" -properties *|Sort-Object -Unique -Property servername).servername 
    $prntrs = @()
    foreach ($printserver in $allprintservers){
        $pos = $printserver.IndexOf(".")
        $PrintServerName = $printserver.Substring(0, $pos)
        $printers = (Get-Printer -ComputerName $PrintServerName | Where-Object  {$_.Name -notlike "......."}).Name
        foreach ($printer in $printers) {
            if ([string]::IsNullOrWhiteSpace($printer) -or $printer -like "........."){
                $printer = "null"
                break
            }else{
                $currentprinter = Get-Printer -ComputerName $PrintServerName | Where-Object  {$_.Name -like $printer}
                $name = $currentprinter.Name
                $location = $currentprinter.Location
                $comment = $currentprinter.Comment
                $driverName = $currentprinter.DriverName
                $sharedName = $currentprinter.ShareName
                $shared = $currentprinter.Shared
                $portName = $currentprinter.PortName
                $permissions = (Get-Printer -ComputerName $PrintServerName -name $name -Full).PermissionSDDL
                $translation = ConvertFrom-SddlString -sddl $permissions -type ActiveDirectoryRights | Select-Object -ExpandProperty DiscretionaryAcl
                $translation = [string]::join("; ",($translation.Split("`n")))
            }#else
            $prntr = [PSCustomObject]@{
                ServerName = $PrintServerName
                PrinterName = $name
                Location = $location
                Comment = $comment
                DriverName = $driverName
                SharedName = $sharedName
                Shared = $shared
                PortName = $portName
                UnTransACL = $permissions
                TransACL = $translation
            }#printer_CustomObject
            $prntrs += $prntr
        }#Foreach 2nd
    }#foreach 1st
    $prntrs | Export-Csv "..\..\PrinterAudit2022.csv" -Encoding UTF8

I have removed a very few select parts of the code to avoid sharing any sensitive information, but it shouldn't affect the logic of the code.