DsAcls is a free command-line utility provided by Microsoft that can be used to view and change security permissions on Active Directory objects.


For all practical purposes, it is the command-line equivalent of the Security tab in the Properties dialog box for an Active Directory object in Active Directory tools, such as Active Directory Users and Computers.

It can be used to view the DACL of any Active Directory object. It can also be used to add a new permission or remove an existing permission from an Active Directory object. dsacls is a very useful tool because it can also be manage Active Directory security permissions from a command-line.

One of the capabilities of dsacls is the ability to view effective permissions in Active Directory. AD effective permissions are very important for Active Directory security, because they help determine who actually has what delegated access rights on important Active Directory objects.

However, I have found that it is unable to accurately determine AD effective permissions which unfortunately makes it difficult to rely upon. Upon some research I found that Active Directory Effective Permissions display incorrect information and are thus cannot be relied upon.

+ Pros: Free, Can be used to view and modify the security permissions on a single Active Directory object

- Cons: Cannot be used to identify where all a user/group might have permissions in Active Directory, plus its effective permissions capability yields incorrect results.

Download Point: dsacls can be downloaded from here.

Summary: dsacls is a powerful command-line tool that can help view and dump/export Active Directory permissions/ACLs. It is free however, and supported by Microsoft. Once you know how to use it well, it can also be used to analyze Active Directory permissions, although not as well as one could with a professional-grade Active Directory Permissions Analyzer.

No comments:

Post a Comment