Recipe 14.10 Changing the ACL of an Object

14.10.1 Problem

You want to change the ACL on an object to grant or restrict access to it for a user or group.

14.10.2 Solution Using a graphical user interface
  1. Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool, such as Active Directory Users and Computers (ADUC) or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select View Advanced Features from the menu.

  2. Click the Advanced button to view a list of the individual ACEs. Using a command-line interface
> dsacls <ObjectDN> Using VBScript

See Recipe 7.7, Recipe 8.2, Recipe 13.6, and Recipe 17.9 for several examples of modifying an ACL with VBScript.

14.10.3 Discussion

Changing the ACL of an object is a common task for administrators in any but the most basic AD implementations because, as shown in Recipe 14.5 and Recipe 14.6, the Delegation of Control Wizard is limited and cumbersome to extend and deploy. The GUI and command-line methods are useful for one-off changes to permissions, but for making global changes to a number of objects you should consider using a script.

14.10.4 See Also

MS KB 281146 (How to Use Dsacls.exe in Windows 2000)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List