Displays and changes permissions (access control entries) in the
access control list (ACL) of objects in Active Directory Domain Services
(AD DS).
Dsacls is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS server role installed. To use dsacls, you must run the dsacls command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Dsacls is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object in tools such as Active Directory Users and Computers. You can use either tool to view and change permissions to an Active Directory object.
To view an ACL, the user must have Read permissions on
Active Directory objects. To change an ACL, the user must have Write
permissions on the Active Directory object.
Syntax
Parameters
Syntax for PermissionStatement
Parameters
Examples
Dsacls is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS server role installed. To use dsacls, you must run the dsacls command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Dsacls is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object in tools such as Active Directory Users and Computers. You can use either tool to view and change permissions to an Active Directory object.
Note |
---|
The access control entries (ACEs) that you add by using dsacls must be object-specific permissions that override the default permissions that are defined in the Active Directory schema for that object type. Do not add ACEs unless you are well-informed about security for Active Directory objects. |
Syntax
dsacls "[\\\] " [/A] [/D [ ]...] [/G [ ]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R { | } [{ | }]...] [/S [/T]] [/?]
Parameters
If you specify an object without additional parameters, Dsacls displays the ACEs in the ACL.
Parameter | Description | ||
---|---|---|---|
"[\\ |
Identifies the Active Directory object to investigate.
Type the distinguished name of the object. To specify an object on a
remote computer, type that computer name followed by the distinguished
name. This parameter must be enclosed in quotation marks. For example: "CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=contoso,DC=com"
or "\\Server01\CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=contoso,DC=com"
|
||
/A |
Adds ownership and auditing information to the results. |
||
/D |
Denies the permissions that you specify to the user or group. You can deny permissions to multiple users in each /D command, for example: /D Domain1\User1:CCDC Domain1\User2:DC;computer
For more information, see Syntax for PermissionStatement[PermissionStatement] |
||
/G |
Grants the permissions that you specify to the user or group. You can grant permissions to multiple users in each /G command, for example: /G Domain1\User1:CCDC Domain1\User2:DC;computer
For more information, see Syntax for PermissionStatement[PermissionStatement] |
||
/I:{T | S | P} |
Specifies the objects to which you are applying the
permissions. This parameter determines whether the permissions are
inheritable. T is the default.
|
||
/N |
Provides that the specified ACE replaces the current ACEs in the ACL. By default, dsacls adds the ACE to the ACL. |
||
/P:{Y | N} |
Determines whether the object can inherit permissions
from its parent objects. If you omit this parameter, the inheritance
properties of the object do not change.
|
||
/R { |
Deletes all ACEs for the users or groups that you specify. You can specify User as User@Domain or as Domain\User. You can specify Group as Group@Domain or as Domain\Group. You can delete ACEs for multiple users and groups in a single /R parameter, for example: /R Domain1\User1 Domain1\User2
|
||
/S |
Restores the security on the object to the default for that object class as defined in the Active Directory schema. |
||
/T |
Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter. |
||
/? |
Displays help at the command prompt. |
Syntax for PermissionStatement
{| }: [;{ | }][; ]
Parameters
Parameter | Description | ||
---|---|---|---|
{ |
Specifies the user or group to whom the rights apply. You can specify User as User@Domain or Domain\User. You can specify Group as Group@Domain or Domain\Group. |
||
|
Specifies the type of permissions that you are applying. You can specify one or more of the following values (without spaces). Generic permissions
|
||
{ |
Limits the permission to the specified object type or
property. Enter the display name of the object type or the property. If
you do not specify an object type or property, the permission applies to
all object types and properties. For example, the following command permits the user to create all types of child objects: /G Domain\User:CC
In contrast, the following command permits the user to create only child computer objects: /G Domain\User:CC;computer
|
||
|
Limits inheritance of the permission to the specified
object type. Enter the display name of the object type. If you do not
specify an object type, all object types can inherit the permission. You
can use this parameter only when permissions are inheritable. For example, the following command permits all objects types to inherit the permission: /G Domain\User:CC
In contrast, the following command permits only User objects to inherit the permission: /G Domain\User:CC;;user
|
Examples
To grant the permission to delete, read security information,
change security information, and change ownership permissions on a User
object, type:
To grant permission to create child objects and delete child objects of a Group object, type:
To grant permissions to read property and write property values on a Telephonenumber property, type:
SDRCWDWO;;user
CCDC;group;
RPWP;telephonenumber;
No comments:
Post a Comment