Share via

dsacls How to remove the check box for rejection?

二 吴 5 Reputation points
2023-06-19T17:48:35.2633333+00:00

My domain control server is Windows server 2012

Now I want to add deny permission to the domain controller Everyone account

I use the following command to add permissions

DSACLS "DC=XX,DC=XX" /D "Everyone:CA;Replicating Directory Changes"

But when I use the following command to remove the restriction on this permission

DSACLS "DC=XX,DC=XX" /G "Everyone:CA;Replicating Directory Changes"

I found it impossible to cancel. How should I cancel the permissions set by dsacls

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. B santhiswaroop naik 405 Reputation points
    2023-06-19T17:51:42.2866667+00:00

    To remove the deny permission that you have set using DSACLS, you need to use the /E parameter instead of the /G parameter. Here's the correct command to remove the restriction:

    DSACLS "DC=XX,DC=XX" /E /D "Everyone:CA;Replicating Directory Changes"

    The /E parameter is used to edit the ACL without replacing it entirely, and the /D parameter is used to remove the specified permissions. By specifying "Everyone:CA;Replicating Directory Changes" with the /D parameter, you are removing the deny permission for the "Everyone" account to perform "Replicating Directory Changes" on the specified domain.

  2. B santhiswaroop naik 405 Reputation points
    2023-06-21T18:47:04.93+00:00

    The DSACLS command you mentioned is not available on Windows Server 2012. The command you are trying to use is typically used on Windows Server 2003 or earlier versions.

    On Windows Server 2012 and newer versions, you can use the ICACLS command to modify permissions on files, folders, or Active Directory objects. Here's an example of how you can use ICACLS to modify permissions:

    To grant "Replicating Directory Changes" permission to the "Everyone" group in Active Directory, you can run the following command:

    bashCopy code
ICACLS "DC=TEST,DC=local" /grant "Everyone:(CI)(RP)"

    This command grants the "Replicating Directory Changes" permission (RP) to the "Everyone" group on the specified Active Directory object.

    Make sure to run the command with administrative privileges (elevated command prompt) to modify the permissions successfully.

    Please note that modifying permissions on Active Directory objects should be done carefully and only by authorized personnel, as it can have significant security implications.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.