View or Set Permissions on a Directory Object
Applies To: Windows Server 2008
You can govern access control in Active Directory Lightweight Directory Services (AD LDS) at the directory partition level by assigning user memberships to the role-based groups that are located on each partition. You can also customize access control in AD LDS on an object-by-object basis using the dsacls command-line tool.
Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Understanding AD LDS Users and Groups.
To view or set permissions on a directory object
Open a command prompt.
At the command prompt, do one of the following:
To list the effective permissions on a directory object, type the following command, and then press ENTER:
**dsacls \\hostname:portnumber\**object_dn
Parameter Description hostname
The name of the computer on which the AD LDS instance that holds the directory object is running.
portnumber
The communications port number on which the AD LDS instance communicates.
object_dn
The distinguished name of the directory object.
Example:
dsacls \\localhost:389\O=Microsoft,C=US
To grant permissions on a directory object, type the following command, and then press ENTER:
dsacls \\hostname:portnumber\object_dn/Guser_or_group**:**Permissions
Parameter Description hostname
The name of the computer on which the AD LDS instance that holds the directory object is running.
portnumber
The communications port number on which the AD LDS instance communicates.
object_dn
The distinguished name of the directory object.
user_or_group
The user or group for whom the permissions apply.
Permissions
The permissions to grant.
Example:
dsacls "\\localhost:389\cn=Object1, cn=container1,O=Microsoft,C=US" /G "CN=inetuser1,O=Microsoft,C=US":SD
To deny permissions on a directory object, type the following command, and then press ENTER:
**dsacls \\hostname:portnumber\object_dn /D user_or_group:**PermissionStatement
Parameter Description hostname
The name of the computer on which the AD LDS instance that holds the directory object is running.
portnumber
The communications port number on which the AD LDS instance communicates.
object_dn
The distinguished name of the directory object.
user_or_group
The user or group for whom the permissions apply.
PermissionStatement
The permissions to deny.
Example:
dsacls "\\localhost:389\cn=Object1, cn=container1,O=Microsoft,C=US" /D "CN=inetuser1,O=Microsoft,C=US":SD
Additional considerations
To open a command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For a complete description of all the parameters that apply to dsacls, including the setting of inheritance, type dsacls /? at the command prompt.
A directory object that resides on multiple replicas of a given directory partition possesses the same permissions on all the replica partitions.