Microsoft KB Archive/281146

From BetaArchive Wiki

Article ID: 281146

Article Last Modified on 2/27/2007



APPLIES TO

  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server



This article was previously published under Q281146

SUMMARY

This article describes how to use the Dsacls.exe tool (Dsacls.exe) to manage access control lists (ACLs) for directory services in Microsoft Windows Server 2003 and Microsoft Windows 2000 Server. Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

Dsacls.exe is included with the Windows Support Tools. To install the Support Tools, run Setup.exe from the Support\Tools folder on the Windows Server 2003 or Windows 2000 Server CD-ROM.

You can use Dsacls.exe and another Windows Support Tool, ACL Diagnostics (Acldiag.exe), to provide security configuration and diagnosis functionality on Active Directory objects from the command prompt.

Note You can use Dsacls.exe to display and change permissions (access control entries) in the access control list (ACL) of objects in Active Directory Application Mode (ADAM) in Windows Server 2003.

Important Do not use Dsacls.exe to modify permissions if you have implemented a Hosting solution such as Windows-based Hosting, High Volume Exchange (HVE), Hosted Messaging and Collaboration, or Hosted Exchange, or if the customer is using Microsoft Provisioning Service. The Hosting solutions depend on specific security model to isolate the ISP's customers from each other.

back to the top

Overview of Dsacls.exe

DsAcls uses the following syntax:

dsacls object [/a] [/d {user | group}:permissions [...]] [/g {user | group}:permissions [...]] [/i:{p | s | t}] [/n] [/p:{y | n}] [/r {user | group} [...]] [/s [/t]]


You can use the following parameters with Dsacls.exe:

  • object: This is the path to the directory services object on which to display or change the ACLs. This path must be a distinguished name (also known as RFC 1779 or x.500 format). For example:

    CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com

    To specify a server, add \\Servername\ before the object. For example:

    \\MyServer\CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com

    When you run the dsacls command with only the object parameter (dsacls object), the security information about the object is displayed.
  • /a : Use this parameter to display the ownership and auditing information with the permissions.
  • /d {user | group}:permissions: Use this parameter to deny specified permissions to a user or group. User must use either user@domain or domain\user format, and group must use either group@domain or domain\group format. You can specify more than one user or group in a command. For more information about the correct syntax to use for permissions, see the <Permissions> Syntax section later in this article.
  • /g {user | group}:permissions: Use this parameter to grant specified permissions to a user or group. User must use either user@domain or domain\user format, and group must use either group@domain or domain\group format. You can specify more than one user or group in a command. For more information about the correct syntax to use for permissions, see the <Permissions> Syntax section later in this article.
  • /i:{p | s | t} : Use this parameter to specify one of the following inheritance flags:
    • p: Use this option to propagate inheritable permissions one level only.
    • s: Use this option to propagate inheritable permissions to subobjects only.
    • t: Use this option to propagate inheritable permissions to this object and subobjects.
  • /n : Use this parameter to replace the current access on the object, instead of editing it.
  • /p:{y | n}: This parameter determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object are not changed. Use this parameter to mark the object as protected (y = yes) or not protected (n = no).

    Note This parameter changes a property of the object, not of an Access Control Entry (ACE). To determine whether an ACE is inheritable, use the /I parameter.
  • /r {user | group}: Use this parameter to remove all permissions for the specified user or group. You can specify more than one user or group in a command. User must use either user@domain or domain\user format, and group must use either group@domain or domain\group format.
  • /s: Use this parameter to restore the security on the object to the default security for that object class, as defined in the Active Directory schema.
  • /t : Use this parameter to restore the security on the tree of objects to the default for each object class. This switch is valid only when you also use the /s parameter.

Permissions Syntax

You must use the following syntax for permissions when you use the /d {user | group}:permissions or /g {user | group}:permissions parameter :

[PermissionBits];[{Object|Property}];[InheritedObjectType]


  • PermissionBits can use any of the following values, which can be concatenated together without spaces:

    Generic Permissions


    GR Generic Read
    GE Generic Execute
    GW Generic Write
    GA Generic All


    Specific Permissions

    SD Delete
    DT Delete an object and all its child objects.
    RC Read security information
    WD Change security information
    WO Change owner information
    LC List the child objects of an object
    CC Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
    DC Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
    WS Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
    RP Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
    WP Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
    CA Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
    LO List the object access. Can be used to grant list access to a specific object if List Children (LC) is not also granted to the parent. Can also be denied on specific objects to hide those objects if the user or group has LC on the parent. By default, Active Directory does not enforce this permission.
  • {Object|Property}: This represents the display name of the object type or property. For example, "user" (without the quotation marks) is the display name for user objects, and "telephone number" (without the quotation marks) is the display name for the telephone number property.

    For example, the following command permits the user to create all types of child objects:

    /G Domain\User:CC


    However, the following command permits the user to create only child computer objects:

    /G Domain\User:CC;computer

  • InheritedObjectType: This represents the display name of the object type by which the permissions are expected to be inherited.

    If an object type is not specified, the permission can be inherited by all object types. This parameter is used only when permissions are inheritable.

    For example, the following command permits all types of objects to inherit the permission:

    /G Domain\User:CC

    However, the following command permits only user objects to inherit the permission:

    /G Domain\User:CC;;user

IMPORTANT: Use permissions only when you define object-specific permissions that override the default permissions defined in the Active Directory schema for that object type. Use with caution and only if you have a full understanding of object-specific permissions.

back to the top

Examples of Permissions

  • SDRCWDWO;;user


This notation represents Delete, Read security information, Change security information, and Change ownership permissions on objects of type "user".

  • CCDC;group;


This notation represents Create child and Delete child permissions to create or delete objects of type "group".

  • RPWP;telephonenumber;


This notation represents Read property and Write property permissions on the telephone number property.

back to the top

REFERENCES

For more information about the dsacls.exe command, type dsacls /? at the command prompt, and then press ENTER.
For more information about the latest updates to Dscals.exe that are included in Microsoft Windows Server 2003 Service Pack 1 (SP1), click the following article number to view the article in the Microsoft Knowledge Base:

892777 Windows Server 2003 Service Pack 1 Support Tools



For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

301423 HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer


For additional information the tools that are included with Windows 2000 Support Tools, click the following article numbers to view the articles in the Microsoft Knowledge Base:

246926 Folder Listing of the Support Tools Included in Windows 2000


292003 Service Pack 2 Adds Updates to Several Windows 2000 Support Tools


322271 Service Pack 3 Adds Updates to Several Windows 2000 Support Tools


back to the top

Keywords: kbhowto KB281146