| 
 | 
 | 
In contrast to ACLDiag, the DsACLs command-line tool allows an administrator to both view and modify the ACL lists of directory objects, i.e., to carry out all operations available on the Security tab in the object's Properties window. (For directory objects, DsACLs does a job similar to what the CACLs.exe utility does for file system objects.) Modifying security descriptors may require a good understanding of Active Directory objects' security model, especially inheritance of permissions.
DsACLs is quite well documented, so we will only consider a few examples.
| Note | The DsACLs' parameters are case-sensitive and all letters must be upper case. | 
You can analyze the following screen output and decide what tool — DsACLs or ACLDiag — is more convenient for you to use when viewing security descriptors of directory objects. (The former command works faster, but it is not as comprehensive as the latter. Notice, for example, the lines related to the Domain Admins group in both commands' output. Perhaps, you yourself want to select an object and compare the complete outputs.) When the /A parameter is specified, the owner and auditing information is also displayed. In the audit list, "All" means that an audit is performed for both Successful and Failed events.
C:\>dsacls OU=Staff, DC=net, DC=dom /A Owner: NET\Domain Admins Group: NET\Domain Users Audit list: Effective Permissions on this object are: All Everyone SPECIAL ACCESS <Inherited from parent> DELETE WRITE PERMISSIONS ... Permissions inherited to subobjects are: Inherited to all subobjects All Everyone SPECIAL ACCESS <Inherited from parent> DELETE WRITE PERMISSIONS ... Access list: Effective Permissions on this object are: Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS ... Allow NET\Domain Admins FULL CONTROL Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS READ PERMISSIONS ... Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent> DELETE READ PERMISSIONS ... Permissions inherited to subobjects are: Inherited to all subobjects Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent> DELETE READ PERMISSIONS ... Inherited to computer ... Inherited to group ... Inherited to user ... Inherited to inetOrgPerson ... The command completed successfully
Let us now consider a couple of examples of how to modify security descriptors. The first command grants the user jsmith@net.dom the Generic Read right (List Contents, Read All Properties, and Read Permissions) for all objects in (and including) the Staff OU:
C:\>dsacls OU=Staff, DC=net, DC=dom /G jsmith@net.dom:GR /I:T
You may verify the result of the operation with all possible (and already mentioned) means.
The second command prevents the user from reading two properties of the OU object:
C:\>dsacls OU=Staff, DC=net, DC=dom /D jsmith@net.dom:RP;PLink jsmith@net.dom: RP; gPOptions
| Attention | The attribute names in the last command are case-sensitive. You can specify any applicable number of attributes in the same command. | 
For various reasons, you may want to return an object's security settings to their initial (default) state. The default settings for an object class are defined in the Active Directory schema. (In addition, the settings inherited from the parents are also applied to the object.) For example, the following command restores defaults for an OU object:
C:\>dsacls OU=Staff, DC=net, DC=dom /S
(You can also use the /T parameter and restore the defaults on the entire tree of objects.)
If the operation was successful, the acldiag <objectName> /schema /skip command will report the following:
Schema Defaults Diagnosis Schema defaults: Present Obtained : At CREATION
Be cautious; the dsacls /S command deletes the audit settings from the object. The command
C:\>dsacls OU=Staff, DC=net, DC=dom /A
will display the following message:
    Audit list:    {This object is protected from inheriting permissions from the parent}    THERE ARE NO ACCESS CONTROL ENTRIES    ...   To restore the default audit settings, open the object's Properties window (in the Active Directory Users and Computers or ADSI Edit snap-in), click the Security tab, and then Advanced. In the Auditing tab in the Access Control Settings window, check the Allow inheritable auditing entries from parent to propagate to this object box, and click Apply. Click OK in the warning pop-up window and close all opened windows.
| Caution | If you do not restore the audit settings after the dsacls /S command, the Windows 2000 version of ACLDiag command with the /chkdeleg or /schema parameters will fail. The Windows .NET version works properly. | 
| 
 | 
 | 
