View or Edit ACLs (access control entries) for objects in Active Directory.
Syntax
DSACLS "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [PermissionStatement]...]
[/G PermissionStatement [PermissionStatement]...] [/I:{T | S | P}]
[/N] [/P:{Y | N}]
[/R {User | Group} [{User | Group}]...] [/S [/T]]
PermissionStatements:
{User | Group}:Permissions[;{ObjectType | Property}][;InheritedObjectType]
Key
ObjectDN Distinguished name of the object.
If omitted will be taken from standard input (stdin)
/A Add ownership and auditing information to the results.
/D Deny permissions to a user or group
/G Grant permissions to a user or group.
/I: Inheritance
T The object and its child objects (default)
S The child objects only
P The object and child objects down one level only
/N Replace the current ACEs in the ACL.
By default, dsacls adds the ACE to the ACL.
/P: Inherit permissions from parent objects (Y/N).
/R Revoke/Delete all ACEs for the users or groups.
/S Restore the default security.
Default security for each object class is defined in the Active Directory schema.
/S /T Restore the default security on the tree of objects.
Permissions
GR: Generic Read
GE: Generic Execute
GW: Generic Write
GA: Generic All
SD: Delete an object
DT: Delete an object and all of its child objects
RC: Read security information
WD: Change security information
WO: Change owner information
LC: List the child objects of the object
CC: Create a child object•
DC: Delete a child object•
WS: Write to a self object (group membership) group object + {ObjectType | Property} = "member."
RP: Read a property•
WP: Write to a property•
CA: Control access (normally a specific extended right for control access)
If you do not specify {ObjectType | Property} this permission will apply to all
meaningful control accesses on the object.
LO: List the object access, AD DS does not enforce this permission by default.
Grant list access to a specific object when List Children (LC) is not granted to the parent.
Deny list access to a specific object when the user or group has LC permission on the parent.
ObjectType | Property
Limit the permission to the specified object type or property.
Enter the display name of the object type or the property.
Default=all object types and properties.
For example, Grant the user rights to create all types of child objects:
/G Domain\User:CC
Grant the user rights to create only child computer objects:
/G Domain\User:CC;computer
InheritedObjectType
Limit inheritance of the permission to the specified object type.
For example, Grant only User objects to inherit the permission:
/G Domain\User:CC;;user
Object Types
User,Contact,Group,Shared Folder,Printer,Computer,Domain Controllers,OU
• If you do not specify {ObjectType | Property} to define a specific child object type, this permission will apply to all types of child objects; otherwise, it will apply only to the child object type that you specify.
You can Grant, Deny or Delete ACEs for multiple users and groups with a single parameter (/G /D /R), list the users/groups separated with spaces.
Examples
Grant Generic Read (GR) and Generic Execute (GE) on computer objects in the Laptops OU to Jdoe:
C:\> dsacls "OU=Laptops,OU=AcmeCo,DC=ss64,DC=Com" /G Domain\JDoe:GRGE;computer
“If future generations are to remember us with gratitude rather than contempt, we must leave them more than the miracles of technology. We must leave them a glimpse of the world as it was in the beginning, not just after we got through with it” ~ President Lyndon B. Johnson
Related:
DSAdd - Add object.
DSMod - Modify object.
DSGet - Display object.
DSMove - Move object.
DSQuery - Search for objects.
DSdbUtil - Maintenance of AD, Authorative Restore, manage snapshots.
DSAMain - Expose Active Directory data that is stored in a snapshot or backup.
DSMgmt - Configure Directory Services.