14.7. Viewing the ACL for an Object
Problem
You want to view the ACL for an object.
Solution
Using a graphical user interface
Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool, such as Active Directory Users and Computers (ADUC) or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select View → Advanced Features from the menu.
Click the Advanced button to view a list of the individual ACEs.
Using a command-line interface
> dsacls <ObjectDN>Using VBScript
Unfortunately, the code to view the ACEs in an ACL is quite messy and long. This will be included as part of the code on the web site for the book (http://www.oreilly.com/catalog/activedckbk/).
Discussion
Viewing an object’s ACL is a common task and should already be familiar to most administrators. The ACL editor is useful for checking the permissions that have been set on objects, especially after running the Delegation of Control Wizard. In addition to viewing permissions, the options available in the GUI include, viewing Auditing settings and the Owner of the object. Knowing the owner of and object is important because ownership confers certain inherent rights.
Because the ACL Editor is the same for NTFS permissions and properties as it is for Active Directory objects, you should feel comfortable with the look and feel of the interface—it is exactly the same as File and Folder permissions. I also highly recommend getting ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
