You want to change the ACL on an object to grant or restrict access to it for a user or group.
Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool, such as Active Directory Users and Computers (ADUC) or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select View Advanced Features from the menu.
Click the Advanced button to view a list of the individual ACEs.
> dsacls <ObjectDN>
See Recipe 7.7, Recipe 8.2, Recipe 13.6, and Recipe 17.9 for several examples of modifying an ACL with VBScript.
Changing the ACL of an object is a common task for administrators in any but the most basic AD implementations because, as shown in Recipe 14.5 and Recipe 14.6, the Delegation of Control Wizard is limited and cumbersome to extend and deploy. The GUI and command-line methods are useful for one-off changes to permissions, but for making global changes to a number of objects you should consider using a script.
MS KB 281146 (How to Use Dsacls.exe in Windows 2000)