DSACLS.EXE
DSACLS is a support tool
command line program for manipulating the ACL of AD objects. The
tool is useful for batch scripting changes to the security model, which makes
it ideal for implementing a delegation model. Care must be taken however, as
the tool directly manipulates the underlying security and does not provide
‘safety net’ prompts. The tool assumes the user knows what he / she are doing.
The command syntax of the tool is relatively simple but an understanding of AD
and the security model is essential. This command-line tool is built into
Windows Server 2008/2008 R2/2012/2012 R2 and is available when the Active
Directory Domain Services (AD DS) server role installed. The DSACLS command requires elevated
privileges. Below command will delegate user “User1” with the permission to
delete organizational unit “sales” and its child objects.
Dsacls "ou=sales,dc=sccm,dc=com"
/G sccm\User1:DT
No comments:
Post a Comment