The AclDiag command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270).
Acldiag.exe: ACL Diagnostics
This command-line tool detects and reports discrepancies in the access control lists (ACLs) of objects in Active Directory. It can also reapply a security delegation template to an ACL, eliminating special permissions and restoring incomplete delegations.
With AclDiag, you can:
Display the access control entries (ACEs) in the ACL, and inheritance and audit settings.
Display the effective permissions of users and groups to an Active Directory object.
Compare the ACL for an object in Active Directory to the default permissions defined in the schema.
Compare the ACL of an Active Directory object to a delegation template.
Reapply the delegation template to the ACL of an Active Directory object.
There is no corresponding user interface for this tool.
For more information about Active Directory, see the Active Directory Overview.
The following are the system requirements for Acldiag:
Windows 2000, Windows XP Professional, or Windows Server 2003.
The user must have read permissions on Active Directory objects. To reapply a delegation template, the user must have modify permissions to the Active Directory object.