AclDiag displays only the permissions of objects the user has the right to view. Because Group Policy objects are virtual objects that have no distinguished name, this tool cannot be used on them.

For general purpose ACL reporting and setting from the command prompt, you can also use DsAcls, another Windows Support Tool.

