Recipe 14.7 Viewing the ACL for an Object

14.7.1 Problem

You want to view the ACL for an object.

14.7.2 Solution

14.7.2.1 Using a graphical user interface

14.7.2.2 Using a command-line interface

> dsacls <ObjectDN>

14.7.2.3 Using VBScript

Unfortunately, the code to view the ACEs in an ACL is quite messy and long. This will be included as part of the code on the web site for the book (http://www.oreilly.com/catalog/activedckbk/).

14.7.3 Discussion

Viewing an object's ACL is a common task and should already be familiar to most administrators. The ACL editor is useful for checking the permissions that have been set on objects, especially after running the Delegation of Control Wizard. In addition to viewing permissions, the options available in the GUI include, viewing Auditing settings and the Owner of the object. Knowing the owner of and object is important because ownership confers certain inherent rights.

Because the ACL Editor is the same for NTFS permissions and properties as it is for Active Directory objects, you should feel comfortable with the look and feel of the interface—it is exactly the same as File and Folder permissions. I also highly recommend getting familiar with the Advanced View of the ACL Editor, as this is truly the view in which you can determine what is going on with permissions. The Basic view presents a list of security principals that have permissions configured, but it will not always show every ACE entry. The Advanced view will show the complete picture including the scope of permissions for ACEs down to the object and even attribute level.

14.7.4 See Also

Recipe 14.10 for changing an ACL and Recipe 15.12 for auditing of object access