Dsacls Syntax

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

DsAcls Syntax

DsAcls uses the following general syntax:

Art Imagedsacls"[\\Computer\]ObjectDN**"** [/A] [/D PermissionStatement [PermissionStatement]...] [/G PermissionStatement [PermissionStatement]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {User | Group} [{User | Group}]...] [/S [/T]] [/?]

Parameters

Note

  • If you specify an object without additional parameters, DsAcls displays the access control entries (ACEs) in the ACL.
  • "[\\Computer\]ObjectDN"
    Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on a remote computer, type the computer name followed by the distinguished name. This parameter must be enclosed in quotation marks. For example: "CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"  or "\\Server01\CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"
  • /A
    Adds ownership and auditing information to the display.
  • /D PermissionStatement[PermissionStatement]
    Denies the specified permissions to the user or group. You can deny permissions to multiple users in each /D command, for example: /D Domain1\User1:CCDC Domain1\User2:DC;computer
  • /G PermissionStatement[PermissionStatement]
    Grants specified permissions to the user or group. You can grant permissions to multiple users in each /G command, for example: /G Domain1\User1:CCDC Domain1\User2:DC;computer
  • ****/I:{T | S | P}
    Specifies the objects to which the permissions are applied. This parameter determines whether the permissions are inheritable. T is the default.

    Value Description

    T

    This object and subobjects.

    S

    Subobjects only.

    P

    Propagate inheritable permissions one level only.

  • /N
    Provides that the specified ACE replaces the ACEs in the ACL. By default, the ACE is added to the ACL.
  • ****/P:{Y | N}
    Determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object are not changed.

    Value Description

    Y

    The object is protected and cannot inherit permissions.

    N

    The object is not protected and can inherit permissions.

  • >Note

    • This parameter changes a property of the object, not of an ACE. To determine whether an ACE is inheritable, use the /I parameter.
  • /R {User | Group} [{User | Group}]...
    Deletes all ACEs for the specified users or groups. User can be specified as User**@Domain or as Domain\User. Group can be specified as Group@Domain or as Domain\**Group. You can delete ACEs for multiple users and groups in a single /R parameter, for example: /R Domain1\User1 Domain1\User2
  • /S
    Restores the security on the object to the default for that object class as defined in Active Directory schema.
  • /T
    Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter.
  • /?
    Displays help for DsAcls.

Syntax for PermissionStatement

PermissionStatement values use the following format:

Art Image{User | Group}:Permissions[;{ObjectType | Property}][**;**InheritedObjectType]

Parameters

  • {User | Group}
    Specifies the user or group to whom the rights apply. User can be specified as User**@Domain or Domain\User. Group can be specified as Group@Domain or Domain\**Group.
  • Permissions
    Type one or more of the following values (without spaces).

    Generic Permissions

    Value Description

    GR

    Generic Read

    GE

    Generic Execute

    GW

    Generic Write

    GA

    Generic All

    Specific Permissions

    Value Description

    SD

    Delete.

    DT

    Delete an object and all of its children.

    RC

    Read security information.

    WD

    Change security information.

    WO

    Change owner information.

    LC

    List the children of an object.

    CC

    Create child object.

    If {ObjectType | Property} is not specified to define a specific child-object type, this applies to all types of child objects; otherwise, it applies to the specified child-object type.

    DC

    Delete a child object.

    If {ObjectType | Property} is not specified to define a specific child-object type, this applies to all types of child objects; otherwise, it applies to the specified child-object type.

    WS

    Write to self object.

    This is meaningful only on Group objects and when {ObjectType | Property} is a "member."

    RP

    Read property.

    If {ObjectType | Property} is not specified to define a specific property, this applies to all properties of the object; otherwise, it applies to the specified property of the object.

    WP

    Write property.

    If {ObjectType | Property} is not specified to define a specific property, this applies to all properties of the object; otherwise, it applies to the specified property of the object.

    CA

    Control access right.

    If {ObjectType | Property} is not specified to define the specific extended right for control access, this applies to all meaningful control accesses on the object; otherwise, it applies to the specific extended right for that object.

    LO

    List the object access.

    Can be used to grant list access to a specific object if List Children (LC) is not granted to the parent as well. Can also be denied on specific objects to hide those objects if the user/group has LC permission on the parent.

    Note

    • Active Directory does not enforce this permission by default. The Active Directory must be configured to check for this permission.

  • {ObjectType | Property}
    Limits the permission to the specified object type or property. Enter the display name of the object type or of the property. If an object type or property is not specified, the permission applies to all object types and properties. For example, the following command permits the user to create all types of child objects: /G Domain\User:CC However, the following command permits the user to create only child computer objects: /G Domain\User:CC;computer
  • InheritedObjectType
    Limits inheritance of the permission to the specified type of object. Enter the display name of the object type. If an object type is not specified, the permission can be inherited by all object types. This parameter is used only when permissions are inheritable. For example, the following command permits all types of objects to inherit the permission: /G Domain\User:CC However, the following command permits only user objects to inherit the permission: /G Domain\User:CC;;user

See Also

Concepts

Dsacls Overview
Dsacls Examples
Alphabetical List of Tools
Search Overview
Replmon Overview
Repadmin Overview
Movetree.exe
Ldp Overview
Dsastat Overview
Clonepr Overview
ADSI Edit (adsiedit.msc)
Acldiag Overview