Dsacls - Display and Change Permissions in the ACL
DSACLS.exe is a command line tool that enables administrators to view and change permissions and security attributes of Active Directory objects. It is equivalent to the Security tab in the properties dialog box for Active Directory object tools such as Active Directory Users and Computers (ADUC).
To use dsacls to view an Access Control List (ACL), the user must have read permissions on Active Directory objects. To change an Access Control List (ACL), the user must have write permissions to the Active Directory object.
In this article, we will discuss dsacls, and how to change access rights with a command line tool dsacls.
DSACLS Syntax
Dsacls uses the following syntax:
dsacls "[\\<Computer>\]<ObjectDN>" [/A] [/D <PermissionStatement> [<PermissionStatement>]...] [/G <PermissionStatement> [<PermissionStatement>]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {<User> | <Group>} [{<User> | <Group>}]...] [/S [/T]] [/?]
Parameters:
- ObjectDN - Distinguished name of the object
- /A - Adds ownership and auditing information to the results.
- /D - Denies the permissions that you specify to the user or group.
- /G - Grant the permissions that you specify to the user or group.
- /I - Inheritance
- T - Object and its child objects (default)
- S - Child objects only
- P - The object and child objects down to one level only
- /N - Provides that the specified ACE replaces the current ACEs in the ACL.
- /P - Inherit permission from the parent objects.
- /R - Revoke/Delete all ACEs for all the users or groups.
- /S - Restores the security on the object to the default for that object class.
- /T - Restores the security on the tree of objects to the default for each object class.
Permissions:
- GR: Generic Read
- GE: Generic Execute
- GW: Generic Write
- GA: Generic All
- SD: Delete an object.
- DT: Delete an object and all of its child objects.
- RC: Read security information.
- WD: Change security information.
- WO: Change owner information.
- LC: List the child objects of the object.
- CC: Create a child object.
What are the Advantages of the Dsacls Command-line tool
The benefit of using the command line is that you can create scripts to automate certain administrative tasks. No longer do administrators need to tediously modify permission one by one; using dsacls, scripts can be created and automated for these tasks efficiently.
Grant User Access Rights with Access Control Lists (ACL)
An Access Control List (ACL) contains a list of users that are attached to an object. An (ACL) specifies which access rights each user has to a particular resource, such as a file, or printer.
Each object on a Windows computer has a security attribute that contains its access control list. The most common type of access to an object is the ability to read, write, and execute.
An Access Control List (ACL) has one or more access control entries (ACEs) containing a user or group of users. Each ACE in an ACL identifies a user or group and specifies the access rights for that user or group.
It is common practice for the System Administrator or the object owner to create and maintain the (ACL) for an object. The order of ACEs in an ACL is important, with access-denied ACEs appearing higher in the order than ACEs that grant access.
Discretionary Access Control List (DACL)
Directory Access Control List (DACL) is another type of ACL. A (DACL) is attached to an Active Directory rather than being attached to an NTFS file system.
A (DACL) contains a list of users and groups that have access rights to an Active Directory object. Just like an ACL, (DACL)s are made up of (ACEs), which contain users, groups, or a computer account with permissions for each to an Active Directory object.
Something you need to remember is that an empty (DACL) means that no one but the object’s owner has access to the object. If an object does not have a (DACL), some versions of Windows interpret this as there are no security restrictions on that object.
DSACLS Examples
Now let’s look at a couple of examples of using dsacls to grant access rights to a user.
Grant Generic Read (GR) right for all objects in the OU
dsacls OU=Sale, DC=adt, DC=dom /G jane@adt.dom:GR /I:T
In the above example, we are granting the user jane@adt.com the Generic Read right for all objects in the Sale OU.
Grant Reading properties of the OU object
dsacls OU=Sale, DC=adt, DC=dom /D smith@adt.com:RP;PLink
In this example, we are preventing the user smith@adt.com from reading the properties of the OU object.
Cool Tip: Learn more about Active Directory Schema and how it works!
Conclusion
The dsacls command-line tool is essential for managing Active Directory permissions and security at scale. Combined with scripting and automation, it enables efficient permission management across your entire directory infrastructure.
Key Takeaways:
- Use dsacls to script permission changes
- Understand ACLs (Access Control Lists) and DACLs (Directory ACLs)
- Grant and deny permissions at the OU and object levels
- Use inheritance to apply permissions to child objects
- Always test on non-critical OUs first
- Document permission changes for audit trails
Related Articles
Active Directory Security & Permissions
- Complete Active Directory Guide - Comprehensive AD guide
- Active Directory Security Guide - Security best practices
- ACL Management - PowerShell ACL management
- Delegation of Control - Delegate permissions
- Active Directory OU - Organizational unit management
AD Management Tools
- ADSIEDIT - ADSI Editor for direct object manipulation
- ADModify - ADModify tool reference
- DSQuery - Query Active Directory
- Complete Active Directory Guide - Full AD reference
PowerShell for AD
- Get-ADUser - Query AD users
- Get-ADGroup - Query AD groups
- Set-ADUser - Modify user properties
- Add-ADGroupMember - Manage group membership
- Bulk AD Operations - Automate AD tasks
Compliance & Auditing
- Security Auditing - Audit AD changes
- Event Log Analysis - Monitor AD events
- Compliance Reporting - Generate compliance reports
- Password Policies - Password policy management
Comprehensive Resources
- Active Directory Administrator Certification - AD skills
- Active Directory Best Practices - Industry standards
- PowerShell Active Directory Module - PS AD cmdlets
I hope the above article dsacls is helpful to you.