Access Denied: Printing ACLs

Is there a way to print out who has what authority over an organizational unit (OU)?

The answer is Dsacls, which is part of the Windows 2000 Support Tools. Dsacls lets you modify or print the ACL of any object in Active Directory (AD). All you need to do is give Dsacls the AD path of the OU without any other parameters, and Dsacls will output the OU's ACLs to Stdout, which you can redirect to a file. For example, if you type

dsacls OU=Marketing,  OU=New York,DC=Acme,DC=com

Dsacls will display the ACL for the New YorkMarketing OU in the acme.com domain, which Web Figure 1 (http://www.secadministrator.com, InstantDoc ID 25733) shows. The Dsacls output is quite verbose and comprises two main sections. Dsacls first lists effective permissions for the object, then lists all permissions that are propagated to subobjects.

Each access control entry (ACE) begins with either Allow or Deny, followed by the user or group, then the high-level permission, such as FULL CONTROL. If the user or group has been granted special low-level permissions, Dsacls lists each one. If a user or group inherited an ACE, you'll see on the first line of the ACE, as Figure 1 shows. If you don't see , the ACE is explicitly defined on the object. Under the Permissions inherited to subobjects are heading, which Figure 2 shows, Dsacls first specifies what type of object the subsequent ACEs are propagated to, then lists the associated ACEs (e.g., in Figure 3, notice that Allow ACMEHelpDesk Reset Password authority is propagated to all user objects in the OU).

—Randy Franklin Smith