DSACLS.exe (installable option via RSAT /AD DS)

View or Edit ACLs (access control entries) for objects in Active Directory.

Syntax
      DSACLS "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [PermissionStatement]...]
         [/G PermissionStatement [PermissionStatement]...] [/I:{T | S | P}]
            [/N] [/P:{Y | N}] 
               [/R {User | Group} [{User | Group}]...] [/S [/T]]

      PermissionStatements:
         {User | Group}:Permissions[;{ObjectType | Property}][;InheritedObjectType]
   
Key
   ObjectDN  Distinguished name of the object.
             If omitted will be taken from standard input (stdin)

   /A   Add ownership and auditing information to the results.

   /D   Deny permissions to a user or group

   /G   Grant permissions to a user or group.

   /I:  Inheritance
           T  The object and its child objects (default)
           S  The child objects only
           P  The object and child objects down one level only

   /N   Replace the current ACEs in the ACL.
        By default, dsacls adds the ACE to the ACL.

   /P:  Inherit permissions from parent objects (Y/N).

   /R   Revoke/Delete all ACEs for the users or groups.

   /S   Restore the default security.
        Default security for each object class is defined in the Active Directory schema.

  /S /T Restore the default security on the tree of objects.

Permissions
      GR: Generic Read
      GE: Generic Execute
      GW: Generic Write
      GA: Generic All

      SD: Delete an object
      DT: Delete an object and all of its child objects
      RC: Read security information
      WD: Change security information
      WO: Change owner information
      LC: List the child objects of the object
      CC: Create a child object•
      DC: Delete a child object•
      WS: Write to a self object (group membership) group object + {ObjectType | Property} = "member."
      RP: Read a property•
      WP: Write to a property•
      CA: Control access (normally a specific extended right for control access)
             If you do not specify {ObjectType | Property} this permission will apply to all
             meaningful control accesses on the object.
      LO: List the object access, AD DS does not enforce this permission by default.
             Grant list access to a specific object when List Children (LC) is not granted to the parent.
             Deny list access to a specific object when the user or group has LC permission on the parent.

   ObjectType | Property
          Limit the permission to the specified object type or property.
          Enter the display name of the object type or the property.
          Default=all object types and properties.

          For example, Grant the user rights to create all types of child objects:
          /G Domain\User:CC

          Grant the user rights to create only child computer objects:
          /G Domain\User:CC;computer

   InheritedObjectType
          Limit inheritance of the permission to the specified object type.
          For example, Grant only User objects to inherit the permission:
          /G Domain\User:CC;;user

   Object Types
          User,Contact,Group,Shared Folder,Printer,Computer,Domain Controllers,OU

If you do not specify {ObjectType | Property} to define a specific child object type, this permission will apply to all types of child objects; otherwise, it will apply only to the child object type that you specify.

You can Grant, Deny or Delete ACEs for multiple users and groups with a single parameter (/G /D /R), list the users/groups separated with spaces.

Examples

Grant Generic Read (GR) and Generic Execute (GE) on computer objects in the Laptops OU to Jdoe:

C:\> dsacls "OU=Laptops,OU=AcmeCo,DC=ss64,DC=Com" /G Domain\JDoe:GRGE;computer

“If future generations are to remember us with gratitude rather than contempt, we must leave them more than the miracles of technology. We must leave them a glimpse of the world as it was in the beginning, not just after we got through with it” ~ President Lyndon B. Johnson

Related commands

DSAdd - Add object.
DSMod - Modify object.
DSGet - Display object.
DSMove - Move object.
DSQuery - Search for objects.
DSdbUtil - Maintenance of AD, Authorative Restore, manage snapshots.
DSAMain - Expose Active Directory data that is stored in a snapshot or backup.
DSMgmt - Configure Directory Services.


 
Copyright © 1999-2024 SS64.com
Some rights reserved