Displays and changes permissions (access control entries) in the access control list (ACL) of objects in Active Directory Domain Services (AD DS).
Dsacls is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS server role installed. To use dsacls, you must run the dsacls command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Dsacls is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object in tools such as Active Directory Users and Computers. You can use either tool to view and change permissions to an Active Directory object.
Note | |
The access control entries (ACEs) that you add by using dsacls must be object-specific permissions that override the default permissions that are defined in the Active Directory schema for that object type. Do not add ACEs unless you are well-informed about security for Active Directory objects. |
To view an ACL, the user must have Read permissions on Active Directory objects. To change an ACL, the user must have Write permissions on the Active Directory object.
Syntax
dsacls "[\\<Computer>\]<ObjectDN>" [/A] [/D <PermissionStatement> [<PermissionStatement>]...] [/G <PermissionStatement> [<PermissionStatement>]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {<User> | <Group>} [{<User> | <Group>}]...] [/S [/T]] [/?]
Parameters
If you specify an object without additional parameters, Dsacls displays the ACEs in the ACL.
Parameter | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
"[\\<Computer>\]<ObjectDN>" |
Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on a remote computer, type that computer name followed by the distinguished name. This parameter must be enclosed in quotation marks. For example:
or
|
||||||||||
/A |
Adds ownership and auditing information to the results. |
||||||||||
/D |
Denies the permissions that you specify to the user or group. You can deny permissions to multiple users in each /D command, for example:
For more information, see PermissionStatement[PermissionStatement] |
||||||||||
/G |
Grants the permissions that you specify to the user or group. You can grant permissions to multiple users in each /G command, for example:
For more information, see PermissionStatement[PermissionStatement] |
||||||||||
/I:{T | S | P} |
Specifies the objects to which you are applying the permissions. This parameter determines whether the permissions are inheritable. T is the default.
|
||||||||||
/N |
Provides that the specified ACE replaces the current ACEs in the ACL. By default, dsacls adds the ACE to the ACL. |
||||||||||
/P:{Y | N} |
Determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object do not change.
|
||||||||||
/R {<User> | <Group>} [{<User> | <Group>}]. |
Deletes all ACEs for the users or groups that you specify. You can specify User as User@Domain or as Domain\User. You can specify Group as Group@Domain or as Domain\Group. You can delete ACEs for multiple users and groups in a single /R parameter, for example:
|
||||||||||
/S |
Restores the security on the object to the default for that object class as defined in the Active Directory schema. |
||||||||||
/T |
Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter. |
||||||||||
/? |
Displays help at the command prompt. |
Syntax for PermissionStatement
{<User> | <Group>}:<Permissions>[;{<ObjectType> | <Property>}][;<InheritedObjectType>]
Parameters
Parameter | Description | ||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
{<User> | <Group>} |
Specifies the user or group to whom the rights apply. You can specify User as User@Domain or Domain\User. You can specify Group as Group@Domain or Domain\Group. |
||||||||||||||||||||||||||||||||||||||||||
<Permissions> |
Specifies the type of permissions that you are applying. You can specify one or more of the following values (without spaces). Generic permissions
Specific permissions
|
||||||||||||||||||||||||||||||||||||||||||
{<ObjectType> | <Property>} |
Limits the permission to the specified object type or property. Enter the display name of the object type or the property. If you do not specify an object type or property, the permission applies to all object types and properties. For example, the following command permits the user to create all types of child objects:
In contrast, the following command permits the user to create only child computer objects:
|
||||||||||||||||||||||||||||||||||||||||||
<InheritedObjectType> |
Limits inheritance of the permission to the specified object type. Enter the display name of the object type. If you do not specify an object type, all object types can inherit the permission. You can use this parameter only when permissions are inheritable. For example, the following command permits all objects types to inherit the permission:
In contrast, the following command permits only User objects to inherit the permission:
|
Examples
To grant the permission to delete, read security information, change security information, and change ownership permissions on a User object, type:
SDRCWDWO;;user
To grant permission to create child objects and delete child objects of a Group object, type:
CCDC;group;
To grant permissions to read property and write property values on a Telephonenumber property, type:
RPWP;telephonenumber;