Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
How can I reset the default permissions on an Active Directory (AD) object?
Q: How can I reset the default permissions on an Active Directory (AD) object?
Jan De Clercq
November 30, 2008
1 Min Read
A: To reset the default permissions on an Active Directory (AD) object, use the dsacls.exe command-line tool. Dsacls.exe can reset permissions on a single object, using the /S switch, or a tree, using the /S /T switch. To reset the permissions on an organizational unit (OU), use the following command:
Dsacls /S /T
For example, to reset the default permissions of the Sales OU, including all sub-OUs and objects within it, use the command
Dsacls "OU=Sales,DC=root,DC=net" /S /T
The /S and /T switches don’t work against instances of Active Directory Lightweight Domain Services (AD LDS)—formerly known as AD Application Mode. For an AD LDS object, use the /resetDefaultDACL switch to reset permissions to the default in the discretionary ACL or /resetDefaultSACL for the system ACL.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
