Acldiag Syntax

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Acldiag Syntax

Acldiag Overview | Acldiag Remarks | Acldiag Syntax | Acldiag Examples

Art Image acldiag ObjectDN [/schema] [/chkdeleg] [/geteffective:{User | Group | *}] [/fixdeleg] [/skip] [/tdo]



  • If you specify an object without additional parameters, AclDiag lists the access control entries (ACEs) in the ACL, and inheritance and audit settings.

Identifies the Active Directory object to investigate. Enter the LDAP URL for an object in Active Directory. The LDAP URL format consists of the name of the LDAP server followed by the distinguished name of the object. The string must be enclosed in quotation marks. For example:

"LDAP:// Admin,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"

/geteffective:{User | Group | *}
Adds an effective rights diagnosis to the display. The effective rights diagnosis displays the effective permissions to the object held by specified users or groups. Effective permissions are the permissions that are enforced after precedence is applied and conflicts in rights are resolved.


Value Description

User | Group

Displays the effective permissions held by the specified user or group.


Displays the effective permissions of all users and groups in the access control list (ACL) for the object.

Adds a schema diagnosis to the display. The schema diagnosis reports whether the object ACL includes the ACEs that are in the schema defaults.

Adds a delegation diagnosis to the display. The delegation diagnosis reports whether the object ACL includes the ACEs that are in the delegation template. A status of misconfigured indicates that at least one, but not all, ACEs in a delegation template (and in the schema default) are included in the ACL.

Directs AclDiag to reapply the delegation template to the object ACL, eliminating special permissions and restoring incomplete delegations. When the specified object inherits delegated permissions, this parameter reapplies the delegation template to the object for which the delegated permissions are explicitly defined. The /fixdeleg parameter is interactive, it gives the user an opportunity to fix each misconfigured delegation.


  • This parameter is effective only when used with the /chkdeleg parameter. Without /chkdeleg, /fixdeleg is ignored, but AclDiag does not report an error.

Omits the security description from the display. The security description is a list of the ACEs in the object ACL.

Displays output in tab-delimited format. Fixed-width format is the default. Tab-delimited format is useful when the output is destined for a database or spreadsheet.

See Also

Community Additions