Dsacls
Applies To: Windows Server 2003 R2
Dsacls
Displays and changes permissions (access control entries (ACEs)) in the access control list (ACL) of objects in Active Directory Application Mode (ADAM).
The ACEs that you add by using dsacls must be object-specific permissions that override the default partition permissions that are defined in the ADAM schema. Do not add ACEs unless you are well informed about security for ADAM objects.
If you specify an object without additional parameters, dsacls displays the ACEs in the ACL.
Syntax
dsacls "[\\Computer\]ObjectDN**"** [/A] [/D PermissionStatement [PermissionStatement]...] [/G PermissionStatement [PermissionStatement]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {User | Group} [{User | Group}]...] [/S [/T]] [/resetDefaultACL] [/resetDefaultSACL] [/takeOwnership] [/simple] [/domain: domain] [/user: username] [/passwd: {password | * }] [/?]
Parameters
- "[\\Computer\]ObjectDN"
Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on a remote computer, type the computer name followed by the distinguished name. This parameter must be enclosed in quotation marks. Example: "CN=Kim Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com" or "\\Server01\CN=Kim Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"
- /A
Adds ownership and auditing information to the display.
- ****/DPermissionStatement [PermissionStatement]...
Denies the specified permissions to the user or group. You can deny permissions to multiple users in each /D command. Example: /D Domain1\User1:CCDC Domain1\User2:DC;computer
- ****/GPermissionStatement [PermissionStatement]...
Grants specified permissions to the user or group. You can grant permissions to multiple users in each /G command Example: /G Domain1\User1:CCDC Domain1\User2:DC;computer
- ****/I:{T | S | P}
Specifies the objects to which the permissions are applied. This parameter determines whether the permissions are inheritable. T is the default.
Value | Description |
---|---|
T |
This object and subobjects |
S |
Subobjects only |
P |
Propagate inheritable permissions one level only |
- /N
Provides that the specified ACE replaces the ACEs in the ACL. By default, the ACE is added to the ACL.
- ****/P:{Y | N}
Determines whether the object is protected so that it cannot inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object are not changed.
Value | Description |
---|---|
Y |
The object is protected, and it cannot inherit permissions. |
N |
The object is not protected, and it can inherit permissions. |
Note
- This parameter changes a property of the object, not of an ACE. To determine whether an ACE is inheritable, use the /I parameter.
- /R {User | Group} [{User | Group}]...
Deletes all ACEs for the specified users or groups. User can be specified as User@Domain or as Domain\User. Group can be specified as Group@Domain or as Domain\Group. You can delete ACEs for multiple users and groups in a single /R parameter Example: /R Domain1\User1 Domain1\User2
- /S
Restores the security on the object to the default for that object class, as defined in the Active Directory schema.
- /T
Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter.
- /resetDefaultDACL
Restores the DACL on the object to the default setting for the object, based on the schema definition for the object class.
- /resetDefaultSACL
Restores the SACL on the object to the default setting, based on the schema definition for the object class.
- /takeOwnership
Assigns object owernship to the account under which Dsacls is running.
- /simple
Specifies to bind to the directory server using an LDAP simple bind.
- ****/domain:domain
Specifies to bind to the directory server using an account from the domain represented by domain.
- ****/user:username
Specifies to bind to the directory server using the account represented by username.
- ****/passwd:password
Specifies to bind to the directory server using the password represented by password. If no password is specified, the user is prompted for a password.
- /?
Displays help for dsacls.
Syntax for PermissionStatement
PermissionStatement values use the following format:
{User | Group}:Permissions[;{ObjectType | Property}][**;**InheritedObjectType]
Parameters
- {User | Group}
Specifies the user or group to whom the rights apply. User can be specified as a distinguished name, User@Domain, or Domain**\User. Group can be specified as a distinguished name, Group@Domain, or Domain\**Group.
- Permissions
Type one or more of the values in the following tables (without spaces).
Generic Permissions
Value | Description |
---|---|
GR |
Generic Read |
GE |
Generic Execute |
GW |
Generic Write |
GA |
Generic All |
Specific Permissions
Value | Description |
---|---|
SD |
Delete. |
DT |
Delete an object and all of its children. |
RC |
Read security information. |
WD |
Change security information. |
WO |
Change owner information. |
LC |
List the children of an object. |
CC |
Create a child object. If {ObjectType | Property} is not specified to define a specific child-object type, this applies to all types of child objects; otherwise, it applies to the specified child-object type. |
DC |
Delete a child object. If {ObjectType | Property} is not specified to define a specific child-object type, this applies to all types of child objects; otherwise, it applies to the specified child-object type. |
WS |
Write to self object. This is meaningful only on Group objects and when {ObjectType | Property} is a "member." |
RP |
Read property. If {ObjectType | Property} is not specified to define a specific property, this applies to all properties of the object; otherwise, it applies to the specified property of the object. |
WP |
Write property. If {ObjectType | Property} is not specified to define a specific property, this applies to all properties of the object; otherwise, it applies to the specified property of the object. |
CA |
Control access right. If {ObjectType | Property} is not specified to define the specific extended right for control access, this applies to all meaningful control accesses on the object; otherwise, it applies to the specific extended right for that object. |
LO |
List the object access. Can be used to grant list access to a specific object if List Children (LC) is not granted to the parent as well. Can also be denied on specific objects to hide those objects if the user/group has LC permission on the parent. Note
|
- {ObjectType | Property}
Limits the permission to the specified object type or property. Type the display name of the object type or the property. If an object type or property is not specified, the permission applies to all object types and properties. For example, the following command permits the user to create all types of child objects: /G Domain\User:CC However, the following command permits the user to create only child computer objects: /G Domain\User:CC;computer
- InheritedObjectType
Limits inheritance of the permission to the specified type of object. Type the display name of the object type. If an object type is not specified, the permission can be inherited by all object types. This parameter is used only when permissions are inheritable. For example, the following command permits all types of objects to inherit the permission: /G Domain\User:CC However, the following command permits only user objects to inherit the permission: /G Domain\User:CC;;user
Examples
SDRCWDWO;;user
Delete, read security information. Change security information and change ownership permissions on objects of the type "user."
CCDC;group;
Create child and delete child permissions to create or delete objects of the type "group."
RPWP;telephonenumber;
Read property and write property permissions on the telephone number property.
Formatting legend
Format | Meaning |
---|---|
Italic |
Information that the user must supply |
Bold |
Elements that the user must type exactly as shown |
Ellipsis (...) |
Parameter that can be repeated several times in a command line |
Between brackets ([]) |
Optional items |
Between braces ({}); choices separated by pipe (|). Example: {even|odd} |
Set of choices from which the user must choose only one |
Courier font |
Code or program output |