DSACLS.exe – Windows CMD Command
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119
View or Edit ACLs (access control entries) for objects in Active Directory.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
Syntax DSACLS "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [PermissionStatement]...] [/G PermissionStatement [PermissionStatement]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {User | Group} [{User | Group}]...] [/S [/T]] PermissionStatements: {User | Group}:Permissions[;{ObjectType | Property}][;InheritedObjectType] Key ObjectDN Distinguished name of the object. If omitted will be taken from standard input (stdin) /A Add ownership and auditing information to the results. /D Deny permissions to a user or group /G Grant permissions to a user or group. /I: Inheritance T The object and its child objects (default) S The child objects only P The object and child objects down one level only /N Replace the current ACEs in the ACL. By default, dsacls adds the ACE to the ACL. /P: Inherit permissions from parent objects (Y/N). /R Revoke/Delete all ACEs for the users or groups. /S Restore the default security. Default security for each object class is defined in the Active Directory schema. /S /T Restore the default security on the tree of objects. Permissions GR: Generic Read GE: Generic Execute GW: Generic Write GA: Generic All SD: Delete an object DT: Delete an object and all of its child objects RC: Read security information WD: Change security information WO: Change owner information LC: List the child objects of the object CC: Create a child object• DC: Delete a child object• WS: Write to a self object (group membership) group object + {ObjectType | Property} = "member." RP: Read a property• WP: Write to a property• CA: Control access (normally a specific extended right for control access) If you do not specify {ObjectType | Property} this permission will apply to all meaningful control accesses on the object. LO: List the object access, AD DS does not enforce this permission by default. Grant list access to a specific object when List Children (LC) is not granted to the parent. Deny list access to a specific object when the user or group has LC permission on the parent. ObjectType | Property Limit the permission to the specified object type or property. Enter the display name of the object type or the property. Default=all object types and properties. For example, Grant the user rights to create all types of child objects: /G Domain\User:CC Grant the user rights to create only child computer objects: /G Domain\User:CC;computer InheritedObjectType Limit inheritance of the permission to the specified object type. For example, Grant only User objects to inherit the permission: /G Domain\User:CC;;user Object Types User,Contact,Group,Shared Folder,Printer,Computer,Domain Controllers,OU |
If you do not specify {ObjectType | Property} to define a specific child object type, this permission will apply to all types of child objects; otherwise, it will apply only to the child object type that you specify.
You can Grant, Deny or Delete ACEs for multiple users and groups with a single parameter (/G /D /R), list the users/groups separated with spaces.
1 2 3 4 5 |
Examples Grant Generic Read (GR) and Generic Execute (GE) on computer objects in the Laptops OU to Jdoe: C:\> dsacls "OU=Laptops,OU=AcmeCo,DC=F4T,DC=Com" /G Domain\JDoe:GRGE;computer |
I am often to blogging and i really appreciate your content. The article has really peaks my interest. I am going to bookmark your site and keep checking for new information.
i like this best suited post