AclDiag Syntax
Overview | Syntax | Examples | Related Tools	Open Command Prompt

acldiag "LDAP-URL" [/geteffective:{user | group | *}] [/schema] [/chkdeleg [/fixdeleg]] [/skip] [/tdo]

Parameters

Note

• If you specify an object without additional parameters, AclDiag lists the Access Control Entries (ACEs) in the ACL, and inheritance and audit settings.

LDAP-URL

Identifies the Active Directory object to investigate. Enter the LDAP URL for an object in Active Directory. The LDAP URL format consists of the name of the LDAP server followed by the distinguished name of the object. The string must be enclosed in quotation marks.

For example, "LDAP://domain.test.microsoft.com/CN=Test Admin,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"

/geteffective:{User | Group | *}

Adds an effective rights diagnosis to the display. The effective rights diagnosis displays the effective permissions to the object held by specified users or groups. Effective permissions are the permissions that are enforced after precedence is applied and conflicts in rights are resolved.

Value	Description
User | Group	Displays the effective permissions held by the specified user or group.
*	Displays the effective permissions of all users and groups in the access control list (ACL) for the object.

/schema

Adds a schema diagnosis to the display. The schema diagnosis reports whether the object ACL includes the ACEs that are in the schema defaults.

/chkdeleg

Adds a delegation diagnosis to the display. The delegation diagnosis reports whether the object ACL includes the ACEs that are in the delegation template. A status of misconfigured indicates that at least one, but not all, ACEs in a delegation template (and in the schema default) are included in the ACL.

/fixdeleg

Directs AclDiag to reapply the delegation template to the object ACL, eliminating special permissions and restoring incomplete delegations. When the specified object inherits delegated permissions, this parameter reapplies the delegation template to the object for which the delegated permissions are explictly defined.

Note

• This parameter is effective only when used with the /chkdeleg parameter. Without /chkdeleg, /fixdeleg is ignored, but AclDiag does not report an error.

/skip

Omits the security description from the display. The security description is a list of the ACEs in the object ACL.

/tdo

Displays output in tab-delimited format. Fixed-width format is the default. Tab-delimited format is useful when the output is destined for a database or spreadsheet.