Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The Sdcheck command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center ( For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (

Sdcheck.exe: Security Descriptor Check Utility

This command-line tool displays the security descriptor for any object stored in Active Directory. The security descriptor contains the access control lists (ACLs) defining the permissions that users have on objects stored in Active Directory.


  • You must run SDCheck from a command window.

  • To enable administrators to determine the effective access controls on an object, SDCheck also displays the object hierarchy and any ACLs that are inherited by the object from its parent.

  • As changes are made to the ACLs of an object or its parent, these changes are propagated automatically by Active Directory. SDCheck displays the security descriptor propagation metadata, so that administrators can monitor these changes with respect to propagation of inherited ACLs, as well as replication of ACLs from other domain controllers.

  • As a complement to the replication monitoring tools (Repadmin.exe and Replmon.exe), SDCheck can be used to ensure that domain controllers are up-to-date with one another.

Every container and object on the network or in Active Directory has a set of access control information attached to it, known as a security descriptor. A security descriptor contains the security information associated with a securable object. In Windows Server 2003 operating systems, the security descriptor is automatically created when an object is created.

  • Windows Server 2003 or Windows XP Professional

