Craig Box's journeys, stories and notes...

Windows utilities you didn't know about: dsacls.exe

If you set permissions to lock yourself out of an object in Active Directory (or your co-worker does it for you - hi Pete!) then you can use the support tool ADSIEDIT to fix it.

Unless you've done something really difficult, like set DENY permission to "NT AUTHORITY\Authenticated Users".

The error was "An invalid directory name was passed" trying to change the properties on the object, which was also showing as a note, and not a container.

A suggestion to update the schema and clear the cache didn't work; what did work eventually, was this gem of a command line, suggested but not entirely correctly spelt out by knowledge base article 300444:

dsacls "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=SITE NAME ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN" /I:T /R "NT AUTHORITY\Authenticated Users"

And they say Windows isn't a CLI OS.

After using /R to remove the ACL, you can use /S to set it back to its inherited-from-parent ACL.

Tags: ,

2 Responses to “Windows utilities you didn't know about: dsacls.exe”

  1. sammydre says:

    I have a feeling this is XP+ specific.

    Those of us stuck on Windows 2000 Professional workstations don't get this application AFAIK.

    Maybe Windows 2000 is a bit old, but it's still run at work 🙁

  2. Craig says:

    I assume it's on the server installation, but not on the desktop. It's really the sort of thing you'd only do on your AD server. You might also be able to get it by installing the support tools?

Leave a Reply