Acldiag Overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Tool Location

The AclDiag command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center ( For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (

Acldiag.exe: ACL Diagnostics

This command-line tool detects and reports discrepancies in the access control lists (ACLs) of objects in Active Directory. It can also reapply a security delegation template to an ACL, eliminating special permissions and restoring incomplete delegations.

With AclDiag, you can:

  • Display the access control entries (ACEs) in the ACL, and inheritance and audit settings.

  • Display the effective permissions of users and groups to an Active Directory object.

  • Compare the ACL for an object in Active Directory to the default permissions defined in the schema.

  • Compare the ACL of an Active Directory object to a delegation template.

  • Reapply the delegation template to the ACL of an Active Directory object.

Corresponding UI

There is no corresponding user interface for this tool.


For more information about Active Directory, see the Active Directory Overview.

System Requirements

The following are the system requirements for Acldiag:

  • Windows 2000, Windows XP Professional, or Windows Server 2003.

  • The user must have read permissions on Active Directory objects. To reapply a delegation template, the user must have modify permissions to the Active Directory object.

File Required

  • Acldiag.exe

See Also


Acldiag Remarks Acldiag Syntax Acldiag Examples Alphabetical List of Tools Search Overview Replmon Overview Repadmin Overview Movetree.exe Ldp Overview Dsastat Overview Clonepr Overview ADSI Edit (adsiedit.msc) Acldiag Overview