Log in Register

Log in

dsacls Command - Syntax, Switches, Options and Examples

dsacls Command - Syntax, Switches, Options and Examples Hot

 
0.0 (0)
2431   0   0   0   0  
Write Review

dsacls command use

Dsacls is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS server role installed. To use dsacls, you must run the dsacls command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

 

dsacls command syntax

dsacls "[]" [/A] [/D []...] [/G []...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R { | } [{ | }]...] [/S [/T]] [/?]

 

dsacls command switches

"[]" -> Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on a remote computer, type that computer name followed by the distinguished name. This parameter must be enclosed in quotation marks. For example:

                                                   "CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=contoso,DC=com" 

                                                     or

                                                    "Server01CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=contoso,DC=com"

 

/A -> Adds ownership and auditing information to the results.

/D - > Denies the permissions that you specify to the user or group.

         You can deny permissions to multiple users in each /D command, for example:

         /D Domain1User1:CCDC Domain1User2:DC;computer

        For more information, see Syntax for PermissionStatement[PermissionStatement]

 

/G -> Grants the permissions that you specify to the user or group.

        You can grant permissions to multiple users in each /G command, for example:

        /G Domain1User1:CCDC Domain1User2:DC;computer

       For more information, see Syntax for PermissionStatement[PermissionStatement]

 

/I:{T | S | P} -> Specifies the objects to which you are applying the permissions. This parameter determines whether the permissions are inheritable. T is the default.

                        T: The object and its child objects

                        S: The child objects only

                        P: The object and child objects down to one level only (propagate inheritable permissions to one level only)

 

/N -> Provides that the specified ACE replaces the current ACEs in the ACL. By default, dsacls adds the ACE to the ACL.

        /P:{Y | N}

        Determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object do not change.

        Y: The object is protected and cannot inherit permissions.

        N: The object is not protected and can inherit permissions.

 

/R { | } [{ | }] -> You can delete ACEs for multiple users and groups in a single /R parameter, for example:

                                                                     /R Domain1User1 Domain1User2

/S -> Restores the security on the object to the default for that object class as defined in the Active Directory schema.

/T -> Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the /S parameter.

/? -> Displays help at the command prompt.

 

dsacls command Example

SDRCWDWO;;user

To grant the permission to delete, read security information, change security information, and change ownership permissions on a User object, type:

 

CCDC;group;

To grant permission to create child objects and delete child objects of a Group object, type:

User reviews

There are no user reviews for this listing.
Already have an account? or Create an account