Access Denied: Printing ACLs

Is there a way to print out who has what authority over an organizational unit (OU)?

The answer is Dsacls, which is part of the Windows 2000 Support Tools. Dsacls lets you modify or print the ACL of any object in Active Directory (AD). All you need to do is give Dsacls the AD path of the OU without any other parameters, and Dsacls will output the OU's ACLs to Stdout, which you can redirect to a file. For example, if you type

dsacls OU=Marketing,
  OU=New York,DC=Acme,DC=com

Dsacls will display the ACL for the New York\Marketing OU in the domain, which Web Figure 1 (, InstantDoc ID 25733) shows. The Dsacls output is quite verbose and comprises two main sections. Dsacls first lists effective permissions for the object, then lists all permissions that are propagated to subobjects.

Each access control entry (ACE) begins with either Allow or Deny, followed by the user or group, then the high-level permission, such as FULL CONTROL. If the user or group has been granted special low-level permissions, Dsacls lists each one. If a user or group inherited an ACE, you'll see <Inherited from parent> on the first line of the ACE, as Figure 1 shows. If you don't see <Inherited from parent>, the ACE is explicitly defined on the object. Under the Permissions inherited to subobjects are heading, which Figure 2 shows, Dsacls first specifies what type of object the subsequent ACEs are propagated to, then lists the associated ACEs (e.g., in Figure 3, notice that Allow ACME\HelpDesk Reset Password authority is propagated to all user objects in the OU).

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.