Using the command line

Using dsacls.exe, you can delegate permissions from the command line. This is ideal for scripted deployments of predetermined permissions and for applying permissions on domain controllers running as Server Core installations.

In its most basic usage, dsacls.exe can be used to display permissions (using /a), deny permissions (using the /d parameter), and grant permissions (using /g). These permissions are set to an object, as denoted as a distinguished name for a group (or user, if you must). The permissions themselves take the form of generic permissions or specific permissions, all denoted by two letters, the so-called permission bits. The generic permissions are denoted as follows:

The most popular specific permissions are denoted as follows:

When you use the last four specific permissions, it's a best practice to also include the object type or attribute for which you want the permission to apply.

Use the following command line to delegate write permissions to a group for the mS-DS-ConsistencyGUID attribute for objects in the DC=Computers, DC=lucernpub, DC=com OU:

dsacls.exe "OU=Organizational Unit,DC=lucernpub,DC=com" /I:S /G LucernPub\Group:RPWP;"ms-DS-ConsistencyGUID";user"