Export (0) Print
Expand All

Dsacls

Updated: August 22, 2005

Applies To: Windows Server 2003 R2

Dsacls

Displays and changes permissions (access control entries (ACEs)) in the access control list (ACL) of objects in Active Directory Application Mode (ADAM).

The ACEs that you add by using dsacls must be object-specific permissions that override the default partition permissions that are defined in the ADAM schema. Do not add ACEs unless you are well informed about security for ADAM objects.

If you specify an object without additional parameters, dsacls displays the ACEs in the ACL.

Syntax

dsacls "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [PermissionStatement]...] [/G PermissionStatement [PermissionStatement]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {User | Group} [{User | Group}]...] [/S [/T]] [/resetDefaultACL] [/resetDefaultSACL] [/takeOwnership] [/simple] [/domain: domain] [/user: username] [/passwd: {password | * }] [/?]

Parameters

"[\\Computer\]ObjectDN"
Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on a remote computer, type the computer name followed by the distinguished name. This parameter must be enclosed in quotation marks.

Example:

"CN=Kim Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com" 

or

"\\Server01\CN=Kim Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"

/A
Adds ownership and auditing information to the display.

/D PermissionStatement [PermissionStatement]...
Denies the specified permissions to the user or group.

You can deny permissions to multiple users in each /D command.

Example:

/D Domain1\User1:CCDC Domain1\User2:DC;computer

/G PermissionStatement [PermissionStatement]...
Grants specified permissions to the user or group.

You can grant permissions to multiple users in each /G command

Example:

/G Domain1\User1:CCDC Domain1\User2:DC;computer

/I:{T | S | P}
Specifies the objects to which the permissions are applied. This parameter determines whether the permissions are inheritable. T is the default.

 

Value Description

T

This object and subobjects

S

Subobjects only

P

Propagate inheritable permissions one level only

/N
Provides that the specified ACE replaces the ACEs in the ACL. By default, the ACE is added to the ACL.

/P:{Y | N}
Determines whether the object is protected so that it cannot inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object are not changed.

 

Value Description

Y

The object is protected, and it cannot inherit permissions.

N

The object is not protected, and it can inherit permissions.

Note

  • This parameter changes a property of the object, not of an ACE. To determine whether an ACE is inheritable, use the /I parameter.

/R {User | Group} [{User | Group}]...
Deletes all ACEs for the specified users or groups. User can be specified as User@Domain or as Domain\User. Group can be specified as Group@Domain or as Domain\Group.

You can delete ACEs for multiple users and groups in a single /R parameter

Example:

/R Domain1\User1 Domain1\User2

/S
Restores the security on the object to the default for that object class, as defined in the Active Directory schema.

/T
Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter.

/resetDefaultDACL
Restores the DACL on the object to the default setting for the object, based on the schema definition for the object class.

/resetDefaultSACL
Restores the SACL on the object to the default setting, based on the schema definition for the object class.

/takeOwnership
Assigns object owernship to the account under which Dsacls is running.

/simple
Specifies to bind to the directory server using an LDAP simple bind.

/domain: domain
Specifies to bind to the directory server using an account from the domain represented by domain.

/user: username
Specifies to bind to the directory server using the account represented by username.

/passwd: password
Specifies to bind to the directory server using the password represented by password. If no password is specified, the user is prompted for a password.

/?
Displays help for dsacls.

Syntax for PermissionStatement

PermissionStatement values use the following format:

{User | Group}:Permissions[;{ObjectType | Property}][;InheritedObjectType]

Parameters

{User | Group}
Specifies the user or group to whom the rights apply. User can be specified as a distinguished name, User@Domain, or Domain\User. Group can be specified as a distinguished name, Group@Domain, or Domain\Group.

Permissions
Type one or more of the values in the following tables (without spaces).

Generic Permissions

 

Value Description

GR

Generic Read

GE

Generic Execute

GW

Generic Write

GA

Generic All

Specific Permissions

 

Value Description

SD

Delete.

DT

Delete an object and all of its children.

RC

Read security information.

WD

Change security information.

WO

Change owner information.

LC

List the children of an object.

CC

Create a child object.

If {ObjectType | Property} is not specified to define a specific child-object type, this applies to all types of child objects; otherwise, it applies to the specified child-object type.

DC

Delete a child object.

If {ObjectType | Property} is not specified to define a specific child-object type, this applies to all types of child objects; otherwise, it applies to the specified child-object type.

WS

Write to self object.

This is meaningful only on Group objects and when {ObjectType | Property} is a "member."

RP

Read property.

If {ObjectType | Property} is not specified to define a specific property, this applies to all properties of the object; otherwise, it applies to the specified property of the object.

WP

Write property.

If {ObjectType | Property} is not specified to define a specific property, this applies to all properties of the object; otherwise, it applies to the specified property of the object.

CA

Control access right.

If {ObjectType | Property} is not specified to define the specific extended right for control access, this applies to all meaningful control accesses on the object; otherwise, it applies to the specific extended right for that object.

LO

List the object access.

Can be used to grant list access to a specific object if List Children (LC) is not granted to the parent as well. Can also be denied on specific objects to hide those objects if the user/group has LC permission on the parent.

Note

  • Active Directory does not enforce this permission by default. Active Directory must be configured to check for this permission.

{ObjectType | Property}
Limits the permission to the specified object type or property. Type the display name of the object type or the property. If an object type or property is not specified, the permission applies to all object types and properties.

For example, the following command permits the user to create all types of child objects:

/G Domain\User:CC

However, the following command permits the user to create only child computer objects:

/G Domain\User:CC;computer

InheritedObjectType
Limits inheritance of the permission to the specified type of object. Type the display name of the object type. If an object type is not specified, the permission can be inherited by all object types. This parameter is used only when permissions are inheritable.

For example, the following command permits all types of objects to inherit the permission:

/G Domain\User:CC

However, the following command permits only user objects to inherit the permission:

/G Domain\User:CC;;user

Examples

SDRCWDWO;;user

Delete, read security information. Change security information and change ownership permissions on objects of the type "user."

CCDC;group;

Create child and delete child permissions to create or delete objects of the type "group."

RPWP;telephonenumber;

Read property and write property permissions on the telephone number property.

Formatting legend

 

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft