Microsoft KB Archive/281146

= How to Use Dsacls.exe in Windows Server 2003 and Windows 2000 =

Article ID: 281146

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q281146



IN THIS TASK

 * SUMMARY
 * Overview of Dsacls.exe
 *  Syntax
 * Examples of 
 * REFERENCES



SUMMARY
This article describes how to use the Dsacls.exe tool (Dsacls.exe) to manage access control lists (ACLs) for directory services in Microsoft Windows Server 2003 and Microsoft Windows 2000 Server. Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

Dsacls.exe is included with the Windows Support Tools. To install the Support Tools, run Setup.exe from the Support\Tools folder on the Windows Server 2003 or Windows 2000 Server CD-ROM.

You can use Dsacls.exe and another Windows Support Tool, ACL Diagnostics (Acldiag.exe), to provide security configuration and diagnosis functionality on Active Directory objects from the command prompt.

Note You can use Dsacls.exe to display and change permissions (access control entries) in the access control list (ACL) of objects in Active Directory Application Mode (ADAM) in Windows Server 2003.

Important Do not use Dsacls.exe to modify permissions if you have implemented a Hosting solution such as Windows-based Hosting, High Volume Exchange (HVE), Hosted Messaging and Collaboration, or Hosted Exchange, or if the customer is using Microsoft Provisioning Service. The Hosting solutions depend on specific security model to isolate the ISP's customers from each other.

back to the top

Overview of Dsacls.exe
DsAcls uses the following syntax:

dsacls  [/a] [/d {  |  }:  [...]] [/g {  |  }:  [...]] [/i:{p | s | t}] [/n] [/p:{y | n}] [/r {  |  } [...]] [/s [/t]]

You can use the following parameters with Dsacls.exe:   : This is the path to the directory services object on which to display or change the ACLs. This path must be a distinguished name (also known as RFC 1779 or x.500 format). For example:

CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com

To specify a server, add   before the object. For example:

\\MyServer\CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com

When you run the dsacls command with only the  parameter (dsacls  ), the security information about the object is displayed. /a : Use this parameter to display the ownership and auditing information with the permissions. /d { |  : : Use this parameter to deny specified permissions to a user or group. must use either @  or  \  format, and   must use either  @  or  \  format. You can specify more than one user or group in a command. For more information about the correct syntax to use for, see the  Syntax section later in this article. /g { |  }: : Use this parameter to grant specified permissions to a user or group. must use either @  or  \  format, and   must use either  @  or  \  format. You can specify more than one user or group in a command. For more information about the correct syntax to use for, see the  Syntax section later in this article. /i:{p | s | t} : Use this parameter to specify one of the following inheritance flags: <ul> p: Use this option to propagate inheritable permissions one level only.</li> s: Use this option to propagate inheritable permissions to subobjects only.</li> t: Use this option to propagate inheritable permissions to this object and subobjects.</li></ul> </li> /n : Use this parameter to replace the current access on the object, instead of editing it.</li> /p:{y | n}: This parameter determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object are not changed. Use this parameter to mark the object as protected (y = yes) or not protected (n = no).

Note This parameter changes a property of the object, not of an Access Control Entry (ACE). To determine whether an ACE is inheritable, use the /I parameter.</li> /r { |  }: Use this parameter to remove all permissions for the specified user or group. You can specify more than one user or group in a command. must use either @  or  \  format, and   must use either  @  or  \  format.</li> /s: Use this parameter to restore the security on the object to the default security for that object class, as defined in the Active Directory schema.</li> /t : Use this parameter to restore the security on the tree of objects to the default for each object class. This switch is valid only when you also use the /s parameter.</li></ul>

Syntax
You must use the following syntax for  when you use the /d {  |  :  or /g {  |  :  parameter :

[ ];[{ }];[ ]

<ul>  can use any of the following values, which can be concatenated together without spaces:

Generic Permissions

'''Specific Permissions

''' </li> { }: This represents the display name of the object type or property. For example, &quot;user&quot; (without the quotation marks) is the display name for user objects, and &quot;telephone number&quot; (without the quotation marks) is the display name for the telephone number property.

For example, the following command permits the user to create all types of child objects:

/G Domain\User:CC

However, the following command permits the user to create only child computer objects:

/G Domain\User:CC;computer

</li>  : This represents the display name of the object type by which the permissions are expected to be inherited.

If an object type is not specified, the permission can be inherited by all object types. This parameter is used only when permissions are inheritable.

For example, the following command permits all types of objects to inherit the permission:

/G Domain\User:CC

However, the following command permits only user objects to inherit the permission:

/G Domain\User:CC;;user

</li></ul>

IMPORTANT: Use  only when you define object-specific permissions that override the default permissions defined in the Active Directory schema for that object type. Use with caution and only if you have a full understanding of object-specific permissions.

back to the top

Examples of 
 * SDRCWDWO;;user

This notation represents Delete, Read security information, Change security information, and Change ownership permissions on objects of type &quot;user&quot;.
 * CCDC;group;

This notation represents Create child and Delete child permissions to create or delete objects of type &quot;group&quot;.
 * RPWP;telephonenumber;

This notation represents Read property and Write property permissions on the telephone number property.

back to the top

<div class="references_section">