active-directory-acls [DSACLs]

DSACLS.exe (installable option either via RSAT /AD DS or adminpack.msi)

View or Edit ACLs (access control entries) for objects in Active Directory.

Syntax DSACLS "[\Computer]ObjectDN" [/A] [/D PermissionStatement [PermissionStatement]...] [/G PermissionStatement [PermissionStatement]...] [/I:{T | S | P}] [/N] [/P:{Y | N}]  [/R {User | Group} [{User | Group}]...] [/S [/T]]  PermissionStatements: {User | Group}:Permissions[;{ObjectType | Property}][;InheritedObjectType] Key ObjectDN Distinguished name of the object. If omitted will be taken from standard input (stdin) /A Add ownership and auditing information to the results. /D Deny permissions to a user or group /G Grant permissions to a user or group. /I: Inheritance T The object and its child objects (default) S The child objects only P The object and child objects down one level only /N Replace the current ACEs in the ACL. By default, dsacls adds the ACE to the ACL.  /P: Inherit permissions from parent objects (Y/N). /R Revoke/Delete all ACEs for the users or groups. /S Restore the default security. Default security for each object class is defined in the Active Directory schema. /S /T Restore the default security on the tree of objects.Permissions GR: Generic Read GE: Generic Execute GW: Generic Write GA: Generic All SD: Delete an object DT: Delete an object and all of its child objects RC: Read security information WD: Change security information WO: Change owner information LC: List the child objects of the object CC: Create a child object• DC: Delete a child object• WS: Write to a self object (group membership) group object + {ObjectType | Property} = "member." RP: Read a property• WP: Write to a property• CA: Control access (normally a specific extended right for control access) If you do not specify {ObjectType | Property} this permission will apply to all meaningful control accesses on the object. LO: List the object access, AD DS does not enforce this permission by default. Grant list access to a specific object when List Children (LC) is not granted to the parent. Deny list access to a specific object when the user or group has LC permission on the parent. ObjectType | Property Limit the permission to the specified object type or property. Enter the display name of the object type or the property. Default=all object types and properties. For example, Grant the user rights to create all types of child objects: /G DomainUser:CC Grant the user rights to create only child computer objects: /G DomainUser:CC;computer InheritedObjectType Limit inheritance of the permission to the specified object type. For example, Grant only User objects to inherit the permission: /G DomainUser:CC;;user Object Types User,Contact,Group,Shared Folder,Printer,Computer,Domain Controllers,OU

• If you do not specify {ObjectType | Property} to define a specific child object type,this permission will apply to all types of child objects; otherwise, it will apply only to the child object type that you specify.

You can Grant, Deny or Delete ACEs for multiple users and groups with a single parameter (/G /D /R), list the users/groups separated with spaces.


Grant Generic Read (GR) and Generic Execute (GE) on computer objects in the Laptops OU to Jdoe:

C:> dsacls “OU=Laptops,OU=AcmeCo,DC=ss64,DC=Com” /G DomainJDoe:GRGE;computer

“If future generations are to remember us with gratitude rather than contempt, we must leave them more than the miracles of technology. We must leave them a glimpse of the world as it was in the beginning, not just after we got through with it” ~ President Lyndon B. Johnson


Q281146 – How to Use Dsacls in Windows Server 2003
DSAdd – Add object
DSMod – Modify object
DSGet – Display object
DSMove – Move object
DSQuery – Search for objects
DSdbUtil – Maintenance of AD, Authorative Restore, manage snapshots.
DSAMain – Expose Active Directory data that is stored in a snapshot or backup
DSMgmt – Configure Directory Services

Β« Back to Glossary Index