Active Directory Users and Computers console

We can view the assigned permissions on an Organizational Unit (OU) in the graphical user interface, also we can use Active Directory Users and Computers console, but we must enable Advanced Features under view (Figure-1).


After enabled, right click on OU (for example OU=NewYork), select Properties (Figure-2).


Now, select Security tab, than select Advanced button. In Permissions tab (other name is Discretionary Access Control List - DACL), you can see ACEs lists (Figure-3).


Dsrevoke Tool

Download Dsrevoke

The assigned permissions can be displayed in the form of access control entries (ACE) with the command tool DSREVOKE and can be removed too.

For example, We need view User=Ed.Price permissions on OU=NewYork, run this command (Figure-4):

Dsrevoke /Report OU=NewYork,DC=Contoso,DC=Com Contoso\Ed.Price


Ed.Price has 2x ACEs (ACE #1 and ACE #2). Now, for example we check ACE #2 on Active Directory Users and Computers console (Figure-5).


You see ACE #2 is Create and Delete User objects.

Now, we need remove or delete Ed.Price delegated permissions from NewYork OU. We run this command (Figure-6):

(The following security prompt when deleting must be confirmed with a "y")

Dsrevoke /Remove OU=NewYork,DC=Contoso,DC=Com Contoso\Ed.Price


All permissions of a user or group from a specific container, such as OU and thus also of the underlying objects are removed with this command:

Dsrevoke /Remove "/root:<DN of the OU>" Domain\sAMAccountName

LIZA Active Directory Security, Permission and ACL Analysis

Download LIZA

Liza is a free tool for Active Directory environments which allows you to display and analyze object rights in the directory hierarchy. You could use the tool for example to perform security permission analysis in an AD domain or the AD Configuration Partition.

We can use LIZA and view Ed.Price delegated permissions on NewYork Organizational Unit (OU).

Click on NewYork OU and you can see on Security Descriptor (right site), permissions tab, Ed Price delegated permissions (Figure-7).


We can see ACE in detail. Click on Ed Price name (which you need see details), then Click Show ACL (Figure-8)


Now, we can see Ed Price has to Create and Delete User objects permissions on NewYork OU (Figure-9).


Delegate Batch File

Sometimes we have many OUs and we only want to see that user has delegated permission to which OUs.

We can use this batch file.


FOR /F "usebackq delims=XXX tokens=1" %%i IN (`dsquery ou`) DO (
dsacls %%i | find /I "%1" > nul
echo Account %1 has no explicit entries in DACL
) ELSE (
echo Account %1 has explicit entries in the DACL of %%i
echo USAGE: %0 [account name or security group]
echo EXAMPLE: %0 Administrator
Here is example using DelegateView.bat for user Ed.Price, we run this command:

DelegateView.bat Contoso\Ed.Price

You can use this command and export information to .txt file:

DelegateView.bat Contoso\Ed.Price >DelegateOUs.txt


To view the ACEs of an OU by using Ldp.exe, follow this steps:

Run LDP.exe, In LDP, on the Connection menu, click Connect to connect to a domain or a specific domain controller.

In the Connect dialog box, in the Server box, type a server name or leave the entry blank to connect to the local server, and then click OK (in my example: DC1.Contoso.Com).

On the Connection menu, click Bind.

In the Bind dialog box, type a user name and password (I logged on the server with Administrator), and then click OK to bind to Active Directory.

On the View menu, click Tree. In the BaseDN box, either type a specific distinguished name (DN) or leave BaseDN blank to view the entire domain. I typed OU=NewYork,DC=Contoso,DC=Com for my example.

To view the security descriptor of an OU, right-click the OU in the tree view, select Advanced, select Security Descriptor, and then in the Security Descriptor dialog box, click OK.

Now, we can see Ed.Price ACEs and all other ACEs on OU=NewYork. We can Add, Delete and Edit ACEs.

For example, I click on Ed.Price, then select Edit ACE button. We can see Ed.Price has Create and Delete User objects delegated permissions on OU=NewYork.

ACLDiag.exe command

ACLDiag.exe is included in the Server 2003 Support Tools. ACLDiag.exe uses the Delegwiz.inf file to translate an object’s delegation permissions. We use ACLDiag.exe with the /chkdeleg switch.

For example, we want to view, who has delegation permission on Employee organization unit and which permission (my Domain name is Here is the command:

ACLDiag.exe "OU=Employee,DC=Contoso,DC=Com" /chkdeleg

First, we look to the Delegation Template Diagnosis part. From this part, show Ed.Price has some delegation permission, but what is @dsuiwiz.dll,-301 or @dsuiwiz.dll,-302 and etc.??!!!

Don't worry. I show you, what is @dsuiwiz.dll,-301 or etc.

We must edit delegwiz.inf file. The delegwiz.inf file is located under Windows 2000 and Windows Server 2003 in the directory %windir%\Inf and Windows Server 2008 and 2008 R2 in the directory %windir%\system32.

Open delegwiz.inf with Notepad (you must have permission to change and save this file). As default delegwiz.inf has 13 templates. Microsoft has released a total of 70 templates on this page (Appendix O: Active Directory Delegation Wizard File).

Now, you can see template1 Delegation description is Description = "@dsuiwiz.dll,-301".

I remove Description = "@dsuiwiz.dll,-301" and set Description = Create, delete, and manage user accounts.

I run this command again:

ACLDiag.exe "OU=Employee,DC=Contoso,DC=Com" /chkdeleg

Now, we can see Ed.Price delegation permission with correct descriptions.

AdFind Tool

AdFind created by Joe Richards. He is great Active Directory MVP and created more Free Tools here.

Here is AdFind Usage and examples.

I run this command to view Ed.Ptice delegation permissions on Employee organization unit (my Domain name is

AdFind -b "OU=Employee,DC=Contoso,DC=Com" -s base nTSecurityDescriptor -sddl++ -resolvesids

Info fot this command:

1- -b         

"<base dn>"

2- -s scope   

Scope of search. Base, One[Level], Sub[tree].

3- attribute  

nTSecurityDescriptor is security descriptor for the schema object.

4- -sddl++    

Decode of security descriptors. This will take an sd such as ntSecurityDescriptor and  decode it to sddl.

5- -resolvesids

Resolve sids to names

Now, we can view Ed.Price delegation permissions and all other permissions on Employee organization unit.

When we need to view delegation permission for specific User or Group, we run this command, here we will view just Ed.Price delegation permissions on Employee organization unit:

Adfind -b "OU=Employee,DC=Contoso,DC=Com" -s subtree –f (objectClass=organizationalUnit) nTSecurityDescriptor -sddl++ -resolvesids -sddlfilter ;;;;;"CONTOSO\Ed.Price" -sddlnotfilter ;inherited -recmute

Now, I need all Ed.Price delegation permissions on all OUs in Domain. I run this command:

Adfind -b "DC=Contoso,DC=Com" -s subtree –f (objectClass=organizationalUnit) nTSecurityDescriptor -sddl++ -resolvesids -sddlfilter ;;;;;"CONTOSO\Ed.Price" -sddlnotfilter ;inherited -recmute

Ed.Price has delegation permissions on NewYork and Employee OUs.

Now, I will view Ed.Price on which Computers has specific permissions in Domain. I run this command:

Adfind -b "DC=Contoso,DC=Com" -s subtree –f (objectClass=computer) nTSecurityDescriptor -sddl++ -resolvesids -sddlfilter ;;;;;"CONTOSO\Ed.Price" -sddlnotfilter ;inherited -recmute

Ed.Price has specific permissions on NPS and CLIENT1 computers.

Dsacls Tool

Dsacls is the other tool that we can for managing Active Directory permissions from the command line. Dsacls is part of the Server 2003 Support Tools, but from Windows Server 2008 is integrated in the operating system.

We can view all permission for the Employee organization unit with the following command:

Dsacls OU=Employee,DC=Contoso,DC=Com

The all permissions for the Employee organization unit in a .TXT are listed with the following command:

Dsacls OU=Employee,DC=Contoso,DC=Com > C:\Dsacls.txt

The default permissions of the Employee organization unit in the domain can be reset as follows:

Dsacls OU=Employee,DC=Contoso,DC=Com /S

The permissions of an specific User or a Group can be removed with this command (example, User=Ed.Price, OU=Employee,

Dsacls OU=Employee,DC=Contoso,DC=Com /R\Ed.Price

We can use userPrincipalName (UPN) in this command too:

Dsacls OU=Employee,DC=Contoso,DC=Com /R

QUEST PowerShell Commands for Active Directory

QUEST PowerShell Commands for Active Directory is the other Free tool that we can use for managing Active Directory permissions from the PowerShell command line. You can download QUEST Free PowerShell Commands for Active Directory from here.

I used Windows PowerShell ISE in this example with QUEST PowerShell. Open Windows PowerShell ISE with Run as administrator.

Run the following command to load the Quest PowerShell commands.

Add-PSSnapin Quest.ActiveRoles.ADManagement

Now, we can view all permission for the Delegation organization unit with the following command:

Get-QADObject '' -SecurityMask Dacl | Get-QADPermission -UseExtendedMatch -Inherited -SchemaDefault -Property ('sAMAccountName','name')

But, we will view just delegation permission for the Delegation organization unit with the following command:

$Deleg=Get-QADObject '' -SecurityMask Dacl -SizeLimit 0 | Get-QADPermission -UseTokenGroups

Now, run the following command:

$Deleg | FT Account,TargetObject,Rights,RightsDisplay

As you see, a user (r.mueller) and a group (SecGlobalGroup) have delegation permission, but who is member of this group?

We use this command to see who is a member of SecGlobalGroup group:

Get-QADGroupMember "SecGlobalGroup" -indirect

As you see, two users (Ed Price & user 2) and a group (SecDLGroup) have delegation permission too.

Now, we will see which delegation permission has Ed Price on all objects in the domain, we run the following command:

$Deleg=Get-QADObject -SecurityMask Dacl -SizeLimit 0 | Get-QADPermission -Account ('contoso\ed.price') -Inherited -SchemaDefault -Verbose -UseTokenGroups

Now, run the following command:

$Deleg | FT Account,TargetObject,Rights,RightsDisplay

Another example, we will show who has WriteProperty Right on Ed Price user account, run the following command:

Get-QADUser 'contoso\ed.price' -SecurityMask Dacl | Get-QADPermission -Rights 'WriteProperty' -UseExtendedMatch -Inherited -SchemaDefault -Verbose -Allow -Property ('sAMAccountName','name')

With PowerShell you can find more examples, here is a very good article:

Best Practice: How to delegate AD permission to Organisational Units using the PowerShell command Add-QADPermission (Alan Burchill - MVP)

AD ACL Scanner 1.2

Robin Granberg (MSFT) created a great PS GUI Tool. This tool creates reports of the access control list for all of your Active Directory objects. With these reports you can see what/where and when permissions have been set.

You can read article about AD ACL Scanner 1.2 in this link:

Take Control Over AD Permissions and the AD ACL Scanner Tool

You can download from this link:

AD ACL Scanner 1.2

Other Information:

Active Directory attributes in the ADUC GUI tool

See Also