View or Edit ACLs (access control entries) for objects in Active Directory.

Syntax DSACLS "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [PermissionStatement]...] [/G PermissionStatement [PermissionStatement]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {User | Group} [{User | Group}]...] [/S [/T]] PermissionStatements: {User | Group}:Permissions[;{ObjectType | Property}][;InheritedObjectType] Key ObjectDN Distinguished name of the object. If omitted will be taken from standard input (stdin) /A Add ownership and auditing information to the results. /D Deny permissions to a user or group /G Grant permissions to a user or group. /I: Inheritance T The object and its child objects (default) S The child objects only P The object and child objects down one level only /N Replace the current ACEs in the ACL. By default, dsacls adds the ACE to the ACL. /P: Inherit permissions from parent objects (Y/N). /R Revoke/Delete all ACEs for the users or groups. /S Restore the default security. Default security for each object class is defined in the Active Directory schema. /S /T Restore the default security on the tree of objects. Permissions GR: Generic Read GE: Generic Execute GW: Generic Write GA: Generic All SD: Delete an object DT: Delete an object and all of its child objects RC: Read security information WD: Change security information WO: Change owner information LC: List the child objects of the object CC: Create a child object• DC: Delete a child object• WS: Write to a self object (group membership) group object + {ObjectType | Property} = "member." RP: Read a property• WP: Write to a property• CA: Control access (normally a specific extended right for control access) If you do not specify {ObjectType | Property} this permission will apply to all meaningful control accesses on the object. LO: List the object access, AD DS does not enforce this permission by default. Grant list access to a specific object when List Children (LC) is not granted to the parent. Deny list access to a specific object when the user or group has LC permission on the parent. ObjectType | Property Limit the permission to the specified object type or property. Enter the display name of the object type or the property. Default=all object types and properties. For example, Grant the user rights to create all types of child objects: /G Domain\User:CC Grant the user rights to create only child computer objects: /G Domain\User:CC;computer InheritedObjectType Limit inheritance of the permission to the specified object type. For example, Grant only User objects to inherit the permission: /G Domain\User:CC;;user Object Types User,Contact,Group,Shared Folder,Printer,Computer,Domain Controllers,OU

• If you do not specify {ObjectType | Property} to define a specific child object type, this permission applies to all types of child objects; otherwise, it applies only to the child object type that you specify.

You can Grant, Deny or Delete ACEs for multiple users and groups with a single parameter (/G /D /R), list the users/groups separated with spaces.

DS* commands are available on networked machines with the server role A.D. Domain Services installed, Domain Controllers (or for XP users: XP Professional).


Grant Generic Read (GR) and Generic Execute (GE) on the Laptops OU to both Jdoe and AdminGroup:

C:\> dsAcls "OU=Laptops,OU=AcmeCo,DC=ss64,DC=Com" /G Domain\JDoe:GRGE;AdminGroup

“If future generations are to remember us with gratitude rather than contempt, we must leave them more than the miracles of technology. We must leave them a glimpse of the world as it was in the beginning, not just after we got through with it” - President Lyndon B. Johnson


DSAdd - Add object

DSMod - Modify object

DSGet - Display object

DSMove - Move object

DSQuery - Search for objects

DSdbUtil - Maintenance of AD, Authorative Restore, manage snapshots.

DSAMain - Expose Active Directory data that is stored in a snapshot or backup

DSMgmt - Configure Directory Services