View or Set Permissions on a Directory Object

Applies To: Windows Server 2008

You can govern access control in Active Directory Lightweight Directory Services (AD LDS) at the directory partition level by assigning user memberships to the role-based groups that are located on each partition. You can also customize access control in AD LDS on an object-by-object basis using the dsacls command-line tool.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To view or set permissions on a directory object

  1. To open a command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, do one of the following:

    • To list the effective permissions on a directory object, type the following command, and then press ENTER:

      dsacls \\<hostname>:<portnumber>\<object_dn>

      Parameter Description

      hostname

      The name of the computer on which the AD LDS instance that holds the directory object is running.

      portnumber

      The communications port number on which the AD LDS instance communicates.

      object_dn

      The distinguished name of the directory object.

      Example:

      dsacls \\localhost:389\O=Microsoft,C=US

    • To grant permissions on a directory object, type the following command, and then press ENTER:

      dsacls \\<hostname>:<portnumber>\<object_dn> /G <user_or_group>:<Permissions>

      Parameter Description

      hostname

      The name of the computer on which the AD LDS instance that holds the directory object is running.

      portnumber

      The communications port number on which the AD LDS instance communicates.

      object_dn

      The distinguished name of the directory object.

      user_or_group

      The user or group for whom the permissions apply.

      Permissions

      The permissions to grant.

      Example:

      dsacls "\\localhost:389\cn=Object1, cn=container1,O=Microsoft,C=US" /G "CN=inetuser1,O=Microsoft,C=US":SD

    • To deny permissions on a directory object, type the following command, and then press ENTER:

      dsacls \\<hostname>:<portnumber>\<object_dn> /D <user_or_group>:<PermissionStatement>

      Parameter Description

      hostname

      The name of the computer on which the AD LDS instance that holds the directory object is running.

      portnumber

      The communications port number on which the AD LDS instance communicates.

      object_dn

      The distinguished name of the directory object.

      user_or_group

      The user or group for whom the permissions apply.

      PermissionStatement

      The permissions to deny.

      Example:

      dsacls "\\localhost:389\cn=Object1, cn=container1,O=Microsoft,C=US" /D "CN=inetuser1,O=Microsoft,C=US":SD

For a complete description of all the parameters that apply to dsacls, which includes the setting of inheritance, type dsacls /? at the command prompt.

Note

A directory object that resides on multiple replicas of a given directory partition possesses the same permissions on all the replica partitions.

Changing permissions on a deleted object container

When a directory object is deleted, a small part of the object stays in the deleted objects container for a specified time. It stays there so that other AD LDS instances that replicate changes will become aware of the deletion. By default, only the members of the AD LDS Administrators group can view the contents of this container. You may have to modify the permissions on the deleted objects container if you have enterprise applications that bind to AD LDS with a non-Administrator account. To modify the permissions on the deleted objects container so that non-administrators can view this container, use the DSACLS.exe program.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

To modify permissions on a deleted object container

  1. To open a command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command and then press ENTER:

    dsacls <deleted_object_dn> /<takeownership>

    Parameter Description

    deleted_object_dn

    The distinguished name of the deleted directory object.

    takeownership

    Take ownership of the object.

    Example:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership

  3. To grant a non-Administrator security principal permission to view the objects in the deleted objects container, type the following command and then press ENTER:

    dsacls <deleted_object_dn> /G <user_or_group>:<Permissions>

    Parameter Description

    deleted_object_dn

    The distinguished name of the deleted directory object.

    user_or_group

    The user or group for whom the permissions apply.

    Permissions

    The permissions to grant.

    Example:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSO\EricLang:LCRP