DSACLs - CMD


Overview

The DSACLs command in Windows CMD is used for managing access control lists (ACLs) on Active Directory objects. This command allows administrators to view, modify, or restore ACLs, which are permissions assigned to users or groups for various resources in a network. It is most effective in environments where administrative tasks related to security and user permissions need to be automated or scripted.

Syntax

The basic syntax for DSACLs is:

DSACLS DN [/I:[T|S]] [/N] [/G User:Permission] [/R User] [/P {Yes | No}] [/D User] [/S [/T] SecurityDescriptorFile] [/Q] [/Reset] [/SddlString]
  • DN: Distinguished Name of the Active Directory object.

Options/Flags

  • /I:[T|S]: Continues the operation on child objects in case of an error.
    • T: Target object and its subentries.
    • S: Only subentries.
  • /N: Ignores default permissions.
  • /G User:Permission: Grants specified user access permissions.
  • /R User: Revokes specified user’s access permissions.
  • /P {Yes | No}: Propagates inheritable permissions to child objects.
  • /D User: Denies specified user access permissions.
  • /S: Replaces the security descriptor with one from the specified security descriptor file.
    • /T: Apply changes to all subentries.
  • /Q: Suppresses all output to the console.
  • /Reset: Resets default permissions.
  • /SddlString: Specifies the security descriptor definition language string.

Examples

  1. Viewing ACLs of an AD object:

    DSACLS "cn=John Doe,ou=Users,dc=example,dc=com"
    

    Displays the ACL entries for the user John Doe.

  2. Granting read access to a user:

    DSACLS "cn=John Doe,ou=Users,dc=example,dc=com" /G "domain\user:R"
    

    Grants read permissions to “domain\user” on John Doe’s AD object.

  3. Revoking all permissions for a user:

    DSACLS "cn=John Doe,ou=Users,dc=example,dc=com" /R "domain\user"
    

    Removes all permissions assigned to “domain\user”.

  4. Resetting permissions to default:

    DSACLS "cn=John Doe,ou=Users,dc=example,dc=com" /Reset
    

    Resets the ACLs of John Doe’s AD object to default settings.

Common Issues

  • Permission Denied: Ensure you have adequate rights to modify or view ACLs on the target AD object.
  • Syntax Errors: Double check command syntax, especially DN paths and user identifiers.
  • Propagation Delays: Changes to ACLs in large Active Directory environments may take some time to apply.

Integration

Combine DSACLs with other commands for more comprehensive scripts:

FOR /F "tokens=*" %G IN ('dsquery user -name "John*"') DO DSACLS %G /G "domain\user:R"

This script grants read permissions to “domain\user” for all users in the domain whose names start with “John”.

  • icacls: Modify, display, or backup ACLs for file system objects.
  • cacls: Similar to icacls but older and less capable.
  • dsquery: Finds objects in the directory according to criteria.

For further reading and more detailed information, consult the Microsoft official documentation.