DsACLs (DsACLs.exe) (ST)

In contrast to ACLDiag, the DsACLs command-line tool allows an administrator to both view and modify the ACL lists of directory objects, i.e., to carry out all operations available on the Security tab in the object's Properties window. (For directory objects, DsACLs does a job similar to what the CACLs.exe utility does for file system objects.) Modifying security descriptors may require a good understanding of Active Directory objects' security model, especially inheritance of permissions.

DsACLs is quite well documented, so we will only consider a few examples.


The DsACLs' parameters are case-sensitive and all letters must be upper case.

Viewing Security Settings

You can analyze the following screen output and decide what tool — DsACLs or ACLDiag — is more convenient for you to use when viewing security descriptors of directory objects. (The former command works faster, but it is not as comprehensive as the latter. Notice, for example, the lines related to the Domain Admins group in both commands' output. Perhaps, you yourself want to select an object and compare the complete outputs.) When the /A parameter is specified, the owner and auditing information is also displayed. In the audit list, "All" means that an audit is performed for both Successful and Failed events.

    C:\>dsacls OU=Staff, DC=net, DC=dom /A    Owner: NET\Domain Admins    Group: NET\Domain Users    Audit list:    Effective Permissions on this object are:    All     Everyone  SPECIAL ACCESS   <Inherited from parent>                      DELETE                      WRITE PERMISSIONS    ...    Permissions inherited to subobjects are:    Inherited to all subobjects    All    Everyone   SPECIAL ACCESS   <Inherited from parent>                      DELETE                      WRITE PERMISSIONS    ...    Access list:    Effective Permissions on this object are:    Allow NT AUTHORITY\Authenticated Users             SPECIAL ACCESS                                                       READ PERMISSONS    ...    Allow NET\Domain Admins                            FULL CONTROL    Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS   SPECIAL ACCESS                                                       READ PERMISSIONS    ...    Allow NT AUTHORITY\SYSTEM                          FULL CONTROL    Allow BUILTIN\Administrators                       SPECIAL ACCESS    <Inherited from parent>                                                       DELETE                                                       READ PERMISSIONS    ...    Permissions inherited to subobjects are:    Inherited to all subobjects    Allow BUILTIN\Administrators                       SPECIAL ACCESS    <Inherited from parent>                                                       DELETE                                                       READ PERMISSIONS    ...    Inherited to computer    ...    Inherited to group    ...    Inherited to user    ...    Inherited to inetOrgPerson    ...    The command completed successfully 

Granting and Removing Permissions

Let us now consider a couple of examples of how to modify security descriptors. The first command grants the user jsmith@net.dom the Generic Read right (List Contents, Read All Properties, and Read Permissions) for all objects in (and including) the Staff OU:

    C:\>dsacls OU=Staff, DC=net, DC=dom /G jsmith@net.dom:GR /I:T 

You may verify the result of the operation with all possible (and already mentioned) means.

The second command prevents the user from reading two properties of the OU object:

    C:\>dsacls OU=Staff, DC=net, DC=dom /D jsmith@net.dom:RP;PLink       jsmith@net.dom: RP; gPOptions 


The attribute names in the last command are case-sensitive. You can specify any applicable number of attributes in the same command.

Restoring Security Settings

For various reasons, you may want to return an object's security settings to their initial (default) state. The default settings for an object class are defined in the Active Directory schema. (In addition, the settings inherited from the parents are also applied to the object.) For example, the following command restores defaults for an OU object:

    C:\>dsacls OU=Staff, DC=net, DC=dom /S 

(You can also use the /T parameter and restore the defaults on the entire tree of objects.)

If the operation was successful, the acldiag <objectName> /schema /skip command will report the following:

    Schema Defaults Diagnosis            Schema defaults: Present            Obtained            : At CREATION 

Be cautious; the dsacls /S command deletes the audit settings from the object. The command

    C:\>dsacls OU=Staff, DC=net, DC=dom /A 

will display the following message:

    Audit list:    {This object is protected from inheriting permissions from the parent}    THERE ARE NO ACCESS CONTROL ENTRIES    ... 

To restore the default audit settings, open the object's Properties window (in the Active Directory Users and Computers or ADSI Edit snap-in), click the Security tab, and then Advanced. In the Auditing tab in the Access Control Settings window, check the Allow inheritable auditing entries from parent to propagate to this object box, and click Apply. Click OK in the warning pop-up window and close all opened windows.


If you do not restore the audit settings after the dsacls /S command, the Windows 2000 version of ACLDiag command with the /chkdeleg or /schema parameters will fail. The Windows .NET version works properly.

Windows  .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net