Dsacls

Applies To: Windows Server 2003 R2

Dsacls

Displays and changes permissions (access control entries (ACEs)) in the access control list (ACL) of objects in Active Directory Application Mode (ADAM).

The ACEs that you add by using dsacls must be object-specific permissions that override the default partition permissions that are defined in the ADAM schema. Do not add ACEs unless you are well informed about security for ADAM objects.

If you specify an object without additional parameters, dsacls displays the ACEs in the ACL.

Syntax

dsacls "[\\Computer\]ObjectDN**"** [/A] [/D PermissionStatement [PermissionStatement]...] [/G PermissionStatement [PermissionStatement]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {User | Group} [{User | Group}]...] [/S [/T]] [/resetDefaultACL] [/resetDefaultSACL] [/takeOwnership] [/simple] [/domain: domain] [/user: username] [/passwd: {password | * }] [/?]

Parameters

• "[\\Computer\]ObjectDN"
  Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on a remote computer, type the computer name followed by the distinguished name. This parameter must be enclosed in quotation marks. Example: "CN=Kim Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com" or "\\Server01\CN=Kim Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"

• /A
  Adds ownership and auditing information to the display.

• ****/DPermissionStatement [PermissionStatement]...
  Denies the specified permissions to the user or group. You can deny permissions to multiple users in each /D command. Example: /D Domain1\User1:CCDC Domain1\User2:DC;computer

• ****/GPermissionStatement [PermissionStatement]...
  Grants specified permissions to the user or group. You can grant permissions to multiple users in each /G command Example: /G Domain1\User1:CCDC Domain1\User2:DC;computer

• ****/I:{T | S | P}
  Specifies the objects to which the permissions are applied. This parameter determines whether the permissions are inheritable. T is the default.

• /N
  Provides that the specified ACE replaces the ACEs in the ACL. By default, the ACE is added to the ACL.

• ****/P:{Y | N}
  Determines whether the object is protected so that it cannot inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object are not changed.

Note

• This parameter changes a property of the object, not of an ACE. To determine whether an ACE is inheritable, use the /I parameter.

• /R {User | Group} [{User | Group}]...
  Deletes all ACEs for the specified users or groups. User can be specified as User@Domain or as Domain\User. Group can be specified as Group@Domain or as Domain\Group. You can delete ACEs for multiple users and groups in a single /R parameter Example: /R Domain1\User1 Domain1\User2

• /S
  Restores the security on the object to the default for that object class, as defined in the Active Directory schema.

• /T
  Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter.

• /resetDefaultDACL
  Restores the DACL on the object to the default setting for the object, based on the schema definition for the object class.

• /resetDefaultSACL
  Restores the SACL on the object to the default setting, based on the schema definition for the object class.

• /takeOwnership
  Assigns object owernship to the account under which Dsacls is running.

• /simple
  Specifies to bind to the directory server using an LDAP simple bind.

• ****/domain:domain
  Specifies to bind to the directory server using an account from the domain represented by domain.

• ****/user:username
  Specifies to bind to the directory server using the account represented by username.

• ****/passwd:password
  Specifies to bind to the directory server using the password represented by password. If no password is specified, the user is prompted for a password.

• /?
  Displays help for dsacls.

Syntax for PermissionStatement

PermissionStatement values use the following format:

{User | Group}:Permissions[;{ObjectType | Property}][**;**InheritedObjectType]

Parameters

• {User | Group}
  Specifies the user or group to whom the rights apply. User can be specified as a distinguished name, User@Domain, or Domain**\User. Group can be specified as a distinguished name, Group@Domain, or Domain\**Group.

• Permissions
  Type one or more of the values in the following tables (without spaces).

Generic Permissions

Specific Permissions

• {ObjectType | Property}
  Limits the permission to the specified object type or property. Type the display name of the object type or the property. If an object type or property is not specified, the permission applies to all object types and properties. For example, the following command permits the user to create all types of child objects: /G Domain\User:CC However, the following command permits the user to create only child computer objects: /G Domain\User:CC;computer

• InheritedObjectType
  Limits inheritance of the permission to the specified type of object. Type the display name of the object type. If an object type is not specified, the permission can be inherited by all object types. This parameter is used only when permissions are inheritable. For example, the following command permits all types of objects to inherit the permission: /G Domain\User:CC However, the following command permits only user objects to inherit the permission: /G Domain\User:CC;;user

Examples

SDRCWDWO;;user

Delete, read security information. Change security information and change ownership permissions on objects of the type "user."

CCDC;group;

Create child and delete child permissions to create or delete objects of the type "group."

RPWP;telephonenumber;

Read property and write property permissions on the telephone number property.

Formatting legend