Active Directory DSACLS.exe in Windows Server 2008 R2 - CoryRetherford.com

Turn on more accessible mode

Turn off more accessible mode

Skip Ribbon Commands

Skip to main content

Turn off Animations

Turn on Animations

Follow

Focus on Content

2010
12/16
Active Directory DSACLS.exe in Windows Server 2008 R2
by Retherford, Cory Patrick at 2:32 PM in Microsoft Active Directory, PowerShell, Scripting, etc.
The dsacls command-line tool displays and allows the ability to changes permissions (Access Control Lists; ACL) of objects in Active Directory.

In order to run this tool (and others) you will need to install the Windows Server Support Tools that can be downloaded here. These tools are no longer included on the Windows Server install disc for Windows Server 2008.

Example:

In this example I am querying the ACL's of an Active Directory object.
After installing the dsacls.exe using the Windows Server Support tools, you can run the following:

C:\Users\adinn>dsacls "CN=account,OU=Accounts,DC=Domain,DC=com">Object_output.txt

Change the italicized fields with the appropriate distinguished names and the name of the output file you wish to save.

Running this simple command will result in all the security ACL's for that object being displayed in the text file such as the following example.

Allow NT AUTHORITY\SELF
SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SYSTEM
FULL CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Comment
Email a link
0 comments

There are no comments for this post.

‭(Hidden)‬ Blog Tools