For Windows 2000, use the Windows 2000 resource kit tool DSACLS.EXE
For Windows 2003, use the included DSACLS.EXE in the OS
Syntax
M:\tools\w2kreskit> dsacls /?
Displays or modifies permissions (ACLS) of an Active Directory (AD)
Object
DSACLS object [/I:TSP] [/N] [/P:YN] [/G : [...]]
[/R [...]] [/D : [...]]
[/S] [/T] [/A] [/setsddl:file_path] [/getsddl[:file_path]]
object Path to the AD object for which to display or
manipulate the ACLs
Path is the RFC 1779 format of the name, as in
CN=John Doe,OU=Software,OU=Engineering,DC=Widget,DC=com
A specific Active Directory can be denoted by prepending \server\
to the object, as in
\ADSERVER\CN=John Doe,OU=Software,OU=Engineering,DC=Widget,DC=US
no options displays the security on the object.
/I Inheritance flags:
T: This object and sub objects
S: Sub objects only
P: Propagate inheritable permissions one level only.
/N Replaces the current access on the object, instead of
editing it.
/P Mark the object as protected
Y:Yes
N:No
If /P option is not present, current protection flag is
maintained.
/G :
Grant specified group (or user) specified permissions.
See below for format of and
/D :
Deny specified group (or user) specified permissions.
See below for format of and
/R Remove all permissions for the specified group (or user).
See below for format of
/S Restore the security on the object to the default for
that object class as defined in AD Schema.
/T Restore the security on the tree of objects to the
default for the object class.
This switch is valid only with the /S option.
/A When displaying the security on an Active Directory object,
display the ownership and auditing information as well as
the permissions
should be in the following forms:
group@domain or domain\group
user@domain or domain\user
should be in the following form:
[Permission bits];[Object/Property];[Inherited Object Type]
Permission bits can have the following values concatenated together:
Generic Permissions
GR Generic Read
GE Generic Execute
GW Generic Write
GA Generic All
Specific Permissions
SD Delete
DT Delete an object and all of it's children
RC Read security information
WD Change security information
WO Change owner information
LC List the children of an object
CC Create child object
DC Delete a child object
For these two permissions, if [Object/Property] is
not specified to define a specific child object type,
they apply all types of child objects otherwise they
apply to that specific child object type.
WS Write to self object
Meaningful only on Group objects and when [Object/Property]
is filled in as "member"
WP Read property
RP Write property
For these two permissions, if [Object/Property] is not
specified to define a specific property, they apply to
all properties of the object otherwise they apply to that
specific property of the object.
CA Control access right
For this permission, if [Object/Property] is not specified
to define the specific "extended right" for control access,
it applies to all control accesses meaningful on the
object, otherwise it applies to the specific extended right
for that object.
LO List the object access. Can be used to grant
list access to a specific object if
List Children (LC) is not granted to the parent as
well can denied on specific objects to hide those objects
if the user/group has LC on the parent.
NOTE: Active Directory does NOT enforce this permission
by default, it has to be configured to start checking for
this permission.
[Object/Property]
must be the display name of the object type or the property.
for example "user" is the display name for user objects and
"telephone number" is the display name for telephone number property.
[Inherited Object Type]
must be the display name of the object type that the permissions
are expected to be inherited to. The permissions MUST be Inherit Only.
NOTE: This must only be used when defining object specific permissions
that override the default permissions defined in the AD schema for that
object type. USE THIS WITH CAUTION and ONLY IF YOU UNDERSTAND object
specific permissions.
Examples of a valid would be:
SDRCWDWO;;user
means:
Delete, Read security information, Change security information and
Change ownership permissions on objects of type "user".
CCDC;group;
means:
Create child and Delete child permissions to create/delete objects
of type group.
RPWP;telephonenumber;
means:
read property and write property permissions on telephone number
property
You can specify more than one user in a command.
The command completed successfully