Q: How can I reset the default permissions on an Active Directory (AD) object?

A: To reset the default permissions on an AD object, use the dsacls.exe command-line tool. Dsacls.exe can reset permissions on a single object, using the /S switch, or a tree, using the /S /T switch. To reset the permissions on an organizational unit (OU), use the following command:

Dsacls  /S /T

For example, to reset the default permissions of the Sales OU, including all sub-OUs and objects within it, use the command

Dsacls "OU=Sales,DC=root,DC=net" /S /T

The /S and /T switches don’t work against instances of Active Directory Lightweight Domain Services (AD LDS)—formerly known as AD Application Mode. For an AD LDS object, use the /resetDefaultDACL switch to reset permissions to the default in the discretionary ACL or /resetDefaultSACL for the system ACL.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.