DSACLS Command Syntax Snippets
This topic provides information about the DSACLS command syntax text files. You can find the text files in the folder named DSACLS Snippets, which is in the download from Working with Active Directory Permissions in Exchange Server 2003. The following is a complete list of the text files.
Email Addresses Tab – Mail-Enabled Group Object.txt
Email Addresses Tab – Mail-Enabled Contact Object.txt
Email Addresses Tab – Mailbox or Mail-Enabled User Object.txt
Email Addresses Tab – Mailbox or Mail-Enabled InetOrgPerson Object (Exchange 2003).txt
Email Addresses Tab – Query-Based Distribution Group (Exchange 2003).txt
Exchange Advanced Tab - Query-Based Distribution Group (Exchange 2003).txt
Exchange Advanced Tab – Mail-Enabled User Object.txt
Exchange Advanced Tab – Mail-Enabled InetOrgPerson Object (Exchange 2003).txt
Exchange Advanced Tab – Mail-Enabled Group Object.txt
Exchange Advanced Tab – Mail-Enabled Contact Object.txt
Exchange Advanced Tab – Mailbox-Enabled User Object (Exchange 2003).txt
Exchange Advanced Tab – Mailbox-Enabled User Object (Exchange 2000).txt
Exchange Advanced Tab – Mailbox-Enabled InetOrgPerson Object (Exchange 2003).txt
Exchange Features Tab – Mailbox-Enabled User Object (Exchange 2003).txt
Exchange Features Tab – Mailbox-Enabled User Object (Exchange 2000).txt
Exchange Features Tab – Mailbox-Enabled InetOrgPerson Object (Exchange 2003).txt
Exchange General Tab – inetOrgPerson Object (Exchange 2003).txt
Exchange General Tab – inetOrgPerson Object (Exchange 2000).txt
Exchange General Tab – Mail-Enabled User Object (Exchange 2003).txt
Exchange General Tab – Mail-Enabled User Object (Exchange 2000).txt
Exchange General Tab – Mail-Enabled Group Object (Exchange 2003).txt
Exchange General Tab – Mail-Enabled Group Object (Exchange 2000).txt
Exchange General Tab – Mail-Enabled Contact Object (Exchange 2003).txt
Exchange General Tab – Mail-Enabled Contact Object (Exchange 2000).txt
Exchange General Tab – Mailbox-Enabled User Object (Exchange 2003).txt
Exchange General Tab – Mailbox-Enabled User Object (Exchange 2000).txt
Exchange General Tab – Mailbox-Enabled InetOrgPerson Object (Exchange 2003).txt
Exchange General Tab – Query-Based Distribution Group (Exchange 2003).txt
Exchange Remove Attributes – InetOrgPerson Object (Exchange 2003).txt
Exchange Remove Attributes – User Object (Exchange 2003).txt
Exchange Remove Attributes – User Object (Exchange 2000).txt
General Tab - Query-Based Distribution Group (Exchange 2003).txt
Hiding Group Membership.txt
Mail-Disable InetOrgPerson Object (Exchange 2003).txt
Mail-Disable User Object (Exchange 2003).txt
Mail-Disable User Object (Exchange 2000).txt
Mail-Disabling Contact Objects (Exchange 2003).txt
Mail-Disabling Contact Objects (Exchange 2000).txt
Mail-Disabling Group Objects (Exchange 2003).txt
Mail-Disabling Group Objects (Exchange 2000).txt
Mail-Enable InetOrgPerson Object (Exchange 2003).txt
Mail-Enable User Object.txt
Mail-Enabling Contact Objects.txt
Mail-Enabling Group Objects.txt
Mailbox-Disable User Object (Exchange 2003).txt
Mailbox-Disable User Object (Exchange 2000).txt
Mailbox-Enable InetOrgPerson Object (Exchange 2003).txt
Mailbox-Enable User Object.txt
Mailbox Move InetOrgPerson Object (Exchange 2003).txt
Mailbox Move User Object.txt
Removing Exchange Attributes on Contact Objects (Exchange 2003).txt
Removing Exchange Attributes on Contact Objects (Exchange 2000).txt
Removing Exchange Attributes on Group Objects (Exchange 2003).txt
Removing Exchange Attributes on Group Objects (Exchange 2000).txt
Note
Incorrectly modifying the attributes of Active Directory® directory service objects by using ADSI Edit (AdsiEdit.msc), DSACLS (Dsacls.exe), the LDP tool (Ldp.exe), or any other Lightweight Directory Access Protocol (LDAP) version 3 clients can cause serious problems. These problems may require reinstallation of Microsoft® Windows Server, Microsoft Exchange Server, or both. Problems that occur if ActiveDirectory object attributes are modified incorrectly may not be solved. Modify these attributes at your own risk.
The format for DSACLS is the following:
dsacls "<ContainerPath>" /I:S /G "<Domain>\<Alias>:RPWP;<Attribute>;<ClassObject>"
Where:
<ContainerPath> is the distinguished name of the object (for example, domain, organizational unit);
<Domain>\<Alias> is the account\group being granted access; where <Attribute> is the attribute to which access is being granted;
<ClassObject> is the class object (user, group, contact, and so on) to which the attribute is associated.
The /I:S switch signals DSACLS to apply the permissions to sub-objects contained within the container path. The /G switch signals DSACLS to grant the necessary permissions (as opposed to deny or remove the permissions).
The RP argument signals DSACLS to grant the Read access for the property in question. The WP argument signals DSACLS to grant Write access for the property in question.
Note
The syntax for DSACLS is one command line, which contains no line breaks.