Home » Dsacls – Display and Change Permissions in the ACL

Dsacls – Display and Change Permissions in the ACL

`DSACLS.exe` is a command line tool that enables administrators to view and change permissions and security attributes of Active Directory objects. It is equivalent to the Security tab in the properties dialog box for Active Directory object tools such as Active Directory Users and Computers (ADUC).

To use dsacls to view an Access Control List (ACL), the user must have read permissions on Active Directory objects. To change an Access Control List (ACL), the user must have write permissions to the Active Directory object.

In this article, we will discuss dsacls, and how to change access rights with a command line tool dsacls.

DSACLS Syntax

Dsacls uses the following syntax:

dsacls "[\\<Computer>\]<ObjectDN>" [/A] [/D <PermissionStatement> [<PermissionStatement>]...] [/G <PermissionStatement> [<PermissionStatement>]...] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {<User> | <Group>} [{<User> | <Group>}]...] [/S [/T]] [/?]

Parameters:

ObjectDN – Distinguished name of the object

/A – Adds ownership and auditing information to the results.

/D – Denies eh permissions that you specify to the user or group.

/G – Grant the permissions that you specify to the user or group.

/I – Inheritance

T – Object and its child objects (default)

S – Child objects only

P – The object and child objects down to one level only

/N – Provides that the specified ACE replaces the current ACEs in the ACL.

/P – Inherit permission from the parent objects.

/R – Revoke/Delete all ACEs for all the users or groups.

/S – Restores the security on the object to the default for that object class.

/T – Restores the security on the tree of objects to the default for each object class.

Permissions

  • GR: Generic Read
  • GE: Generic Execute
  • GW: Generic Write
  • GA: Generic All
  • SD: Delete an object.
  • DT: Delete an object and all of its child objects.
  • RC: Read security information.
  • WD: Change security information.
  • WO: Change owner information.
  • LC: List the child objects of the object.
  • CC: Create a child object.

What are the Advantages of the Dsacls Command-line tool

The benefit of using the command line is that you can create scripts to automate certain administrative tasks. No longer do administrators need to tediously modify permission one by one; using dsacls, scripts can be created and automated for these tasks efficiently.

Grant User Access Rights with Access Control Lists (ACL)

An Access Control List (ACL) contains a list of users that are attached to an object. An (ACL) specifies which access rights each user has to a particular resource, such as a file, or printer.

Each object on a Windows computer has a security attribute that contains its access control list. The most common type of access to an object is the ability to read, write, and execute.

An Access Control List (ACL) has one or more access control entries (ACEs) containing a user or group of users. Each ACE in an ACL identifies a user or group and specifies the access rights for that user or group.

It is common practice for the System Administrator or the object owner to create and maintain the (ACL) for an object. The order of ACEs in an ACL is important, with access-denied ACEs appearing higher in the order than ACEs that grant access.

Discretionary Access Control List (DACL)

Directory Access Control List (DACL) is another type of ACL. A (DACL) is attached to an Active Directory rather than being attached to an NTFS file system.

A (DACL) contains a list of users and groups that have access rights to an Active Directory object. Just like an ACL, (DACL)s are made up of (ACEs), which contain users, groups, or a computer account with permissions for each to an Active Directory object.

Something you need to remember is that an empty (DACL) means that no one but the object’s owner has access to the object. If an object does not have a (DACL), some versions of Windows interpret this as there are no security restrictions on that object.

This has been fixed in later versions of Windows; this imposes a big security risk and assumes everyone should have full control over the object. It is rare to see an Active Directory object without a (DACL), and if you come across one it should be reviewed.

DSACLS Examples

Now let’s look at a couple of examples of using dsacls to grant access rights to a user.

Grant Generic Read (GR) right for all objects in the OU

dsacls OU=Sale, DC=adt, DC=dom /G [email protected]:GR /I:T

In the above example, we are granting the user [email protected] the Generic Read right for all objects in the Sale OU.

Grant Reading properties of the OU object

dsacls OU=Sale, DC=adt, DC=dom /D [email protected]:RP;PLink

In this example, we are preventing the user [email protected] from reading the properties of the OU object.

Cool Tip: Learn more about Active Directory Schema and how it works!

Conclusion

I hope the above article dsacls is helpful to you.

You can find more topics about Active Directory tools and PowerShell basics on the ActiveDirectoryTools home page.