Dec 16
Active Directory DSACLS.exe in Windows Server 2008 R2

The dsacls command-line tool displays and allows the ability to changes permissions (Access Control Lists; ACL) of objects in Active Directory.

In order to run this tool (and others) you will need to install the Windows Server Support Tools that can be downloaded here. These tools are no longer included on the Windows Server install disc for Windows Server 2008.

Example:

In this example I am querying the ACL's of an Active Directory object.
After installing the dsacls.exe using the Windows Server Support tools, you can run the following:

C:\Users\adinn>dsacls "CN=account,OU=Accounts,DC=Domain,DC=com">Object_output.txt

  • Change the italicized fields with the appropriate distinguished names and the name of the output file you wish to save.

Running this simple command will result in all the security ACL's for that object being displayed in the text file such as the following example.

Allow NT AUTHORITY\SELF
SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SYSTEM
FULL CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT

Comments

There are no comments for this post.

 ‭(Hidden)‬ Blog Tools