Wednesday, 8 January 2014

Using DSACL to reset permissions on Active Directory objects

Today an engineer brought something to my attention that was slightly strange. He told me that for some reason he could not reset passwords on some user accounts as all the fields were grayed out. 

I had already used the Delegation of Control wizard to assign an front line engineers group permissions on the users OU, so this was very strange. After investigating further i found that he didn't have permissions to on some users. 

I found that for some reason some objects in the OU had lost the Include Inheritable Permissions from this objects parent checkbox was not checked. So me delegating control to the OU was having no effect because the object was not inheriting. 

If this was on just one account it would be an easy fix, simply check the box and it will inherit permissions. However i identified the issue on older user accounts only. There were hundreds of them and this could potentially take hours to resolve. After some research i found that Windows Server has a built in tool called DSACL, which is installed when ADDS is installed.


1. Load an Administative Command Prompt.

2. To reset the ACL on an OU and all subobjects type the following.

 Dsacls "OU=USERS,DC=domain,DC=com" /S /T  

The /S is used to tell DSACL to reset the permissions on objects to the default for that object class (in this case a user) and the /T is used to tell it to perform it on all objects in the tree.

For full details on how to use DSACL see MS KB

No comments:

Post a Comment