How to Use DSACLS to Apply Permissions


DSACLS (dsacls.exe) is a command-line tool that you can use to query and change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows 2000 Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services. DSACLS is included with the Windows 2003 Support Tools.

This topic serves as an example for using DSACLS. After application of the example in this topic, the "ExAdminGroup" security group can manage e-mail addresses, display names, and move mailboxes for all users contained in the "UsersContainer" organizational unit hierarchy.

Before You Begin

DSACLS is case-sensitive. Therefore, you must be precise in the syntax that you pass to DSACLS because all characters, including white spaces and carriage returns, are passed literally. If you receive errors from DSACLS, review the command and/or try breaking the command into smaller segments.


To use DSACLS for permissioning

  1. Log on to a system within the forest that has the Windows Support Tools installed using an account that can perform the actions (for example, Domain Admin).

  2. Open a command prompt, and type the following command:

    dsacls "OU=UsersContainer,DC=company,DC=com" /I:S /G "company\ExAdminGroup:RPWP;homeMDB;user" "company\ExAdminGroup:RPWP;homeMTA;user" "company\ExAdminGroup:RPWP;targetAddress;user" "company\ExAdminGroup:RPWP;msExchHomeServerName;user" "company\ExAdminGroup:WP;proxyAddresses;user" "company\ExAdminGroup:WP;msExchPoliciesExcluded;user" "company\ExAdminGroup:WP;mail;user" "company\ExAdminGroup:WP;textEncodedORAddress;user" "company\ExAdminGroup:WP;displayName;user"

  3. If successful, the command will output the revised Windows NT security descriptor in the command prompt window and output "The command completed successfully".