JSI Tip 8732. The DSRevoke.exe command-line tool views and removes permissions on Domain and OU containers of Active Directory domain controllers.

The DSRevoke.exe page contains:

Views and removes permissions on Domain and OU containers of Active Directory domain controllers


Dsrevoke is a command-line tool that can be used on domain controllers that are running Windows Server 2003 or Windows 2000 Server to report the existence of all permissions for a specific user or group on a set of OUs in a domain and optionally remove from the DACLs of a set of OUs all permissions specified for a particular user or group.

Dsrevoke complements the functionality provided by the Delegation of Control Wizard, which is used to delegate administrative authority, by providing the ability to revoke delegated administrative authority.


Type "DSREVOKE /?" (no quotes) from the CMD prompt of a Windows 2000, Windows XP or Windows 20003 computer that is a domain member or domain controller of an Active Directory forest being targeted by the DSREVOKE.EXE utility.

Additional Information

To maximize the benefits offered by Dsrevoke, follow these guidelines as much as possible when delegating administrative authority:

? Use roles to delegate administrative authority. When delegating roles, be sure to use a unique and specific security group to represent every unique and specific role instance.

? Use inheritance to grant permissions to the security group representing a role instance, and grant permissions on OUs.

Delegating administrative authority by using roles involves the following tasks:

1. Create a specific and unique security group to represent the role.

2. Identify the highest level OU that represents the root of the smallest subtree that contains the subset of all objects the delegated user needs to access and modify in order to perform the delegated tasks.

3. Run the Delegation of Control Wizard on that OU and delegate the required administrative tasks to the unique and specific security group representing the unique and specific role.

If you follow these delegation guidelines, you can use Dsrevoke to easily and reliably undelegate authority. Simply run Dsrevoke in the domain, providing as input the name of the specific security group used to represent the delegated role, and use the /report switch to verify the existence of all explicit permissions for that security group that have been set on all OU objects in the domain .

Once you have reviewed the reported permissions, you can use the /remove switch to revoke all permissions granted to that security group, thereby revoking the delegated authority.

NOTE: When you type dsrevoke /?, you receive:
Usage: dsrevoke /report|/remove \[/domain:<domainname>\] \[/username:<username>\]
                \[/password:<password>|*\] \[/root:<domain/OU>\] <securityprincipal>

/report: Only reports the ACEs that have been set for the given
        principal on all domain and OU objects under root

/remove: Reports and then removes (after confirmation) the aces
        for the given principal

/domain: Dns OR Netbios name of domain
        (must be specified when <securityprincipal> is in domain other
        than default or if alternate credentials are provided)

/username: Username if alternate credentials must be specified

/password: * will prompt for password

/root: Root OU to start search for ACEs. If not specified will
        default to the specified domain's default naming context (The
        root domain or OU must be specified using x500 format; if the
        dn must include spaces enclose the option in quotes,e.g. "/root:..")

<securityprincipal>: Domain\User or Domain\Group for the security
        principal being looked up

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.