DsAcls Syntax
Overview | Syntax | Examples | Related Tools	Open Command Prompt

dsacls "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [PermissionStatement...]] [/G PermissionStatement [PermissionStatement...]] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {user | group} [{user | group}...]] [/S [/T]] [/?]

Note

• If you specify an object without additional parameters, DsAcls displays the Access Control Entries (ACEs) in the ACL.

"[\\Computer\]ObjectDN"

Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on a remote computer, type the computer name followed by the distinguished name. This parameter must be enclosed in quotation marks.

For example, "CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com" or
"\\Server01\CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"

/A

Adds ownership and auditing information to the display.

/D PermissionStatement [PermissionStatement...]

Denies the specified permissions to the user or group.

You can deny permissions to multiple users in each /D parameter, for example: /D Domain1\User1:CCDC Domain1\User2:DC;computer

/G PermissionStatement [PermissionStatement...]

Grants specified permissions to user or group.

You can grant permissions to multiple users in each /G parameter, for example: /G Domain1\User1:CCDC Domain1\User2:DC;computer

/I:{T | S | P}

Specifies the objects to which the permissions are applied. This parameter determines whether the permissions are inheritable. T is the default.

T	This object and subobjects.
S	Subobjects only.
P	Propagate inheritable permissions one level only.

/N

Provides that the specified ACE replace the ACEs in the ACL. By default, the ACE is added to the ACL.

/P:{Y | N}

Determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object are not changed.

Y	The object is protected and cannot inherit permissions.
N	The object is not protected and can inherit permissions.

Note

• This parameter changes a property of the object, not of an ACE. To determine whether an ACE is inheritable, use the /I parameter.

/R {user | group}

Deletes all ACEs for the specified users or groups.

User can be specified as user@domain or domain\user. Group can be specified as group@domain or domain\group.

You can delete ACEs for multiple users and groups in a single /R parameter, for example, /R Domain1\User1 Domain1\User2

/S

Restores the security on the object to the default for that object class as defined in Active Directory schema.

/T

Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter.

/?

Displays help for DsAcls.

Syntax for PermissionStatement

PermissionStatements must have the following format:

{User | Group}:Permissions[;{ObjectType | Property}][;InheritedObjectType]

{User | Group}

Specifies the user or group to whom the rights apply. User can be specified as user@domain or domain\user. Group can be specified as group@domain or domain\group.

{ObjectType | Property}

Limits the permission to the specified object type or property. Enter the display name of the object type or of the property. If an object type or property is not specified, the permission applies to all object types and properties.

For example, /G Domain\User:CC permits the user to create all types of child objects, but /G Domain\User:CC;computer permits the user to create only child computer objects.

InheritedObjectType

Limits inheritance of the permission to the specified the type of object. Enter the display name of the object type. If an object type is not specified, the permission can be inherited by all object types. This parameter is used only when permissions are inheritable.

For example, /G Domain\User:CC permits all types of objects to inherit the permission, but /G Domain\User:CC;;user permits only user objects to inherit the permission.

Permissions

Type one or more of the following values (without spaces).

Generic Permissions	Description
GR	Generic Read
GE	Generic Execute
GW	Generic Write
GA	Generic All
Specific Permissions	Description
SD	Delete
DT	Delete an object and all of its children
RC	Read security information
WD	Change security information
WO	Change owner information
LC	List the children of an object
CC	Create child object If {Object | Property} is not specified to define a specific child-object type, this applies to all types of child objects; otherwise, it applies to the specified child-object type.
DC	Delete a child object If {Object | Property} is not specified to define a specific child-object type, this applies to all types of child objects; otherwise, it applies to the specified child-object type.
WS	Write to self object Meaningful only on Group objects and when {Object | Property} is a "member.".
RP	Read property If {Object | Property} is not specified to define a specific property, this applies to all properties of the object; otherwise, it applies to the specified property of the object.
WP	Write property If {Object | Property} is not specified to define a specific property, this applies to all properties of the object; otherwise, it applies to the specified property of the object.
CA	Control access right If {Object | Property} is not specified to define the specific extended right for control access, this applies to all meaningful control accesses on the object; otherwise, it applies to the specific extended right for that object.
LO	List the object access. Can be used to grant list access to a specific object if List Children (LC) is not granted to the parent as well. Can also be denied on specific objects to hide those objects if the user/group has LC on the parent. Note Active Directory does not enforce this permission by default. The Active Directory must be configured to check for this permission.