A: To reset the default permissions on an AD object, use the dsacls.exe command-line tool. Dsacls.exe can reset permissions on a single object, using the /S switch, or a tree, using the /S /T switch. To reset the permissions on an organizational unit (OU), use the following command:

Dsacls  /S /T

For example, to reset the default permissions of the Sales OU, including all sub-OUs and objects within it, use the command

Dsacls "OU=Sales,DC=root,DC=net" /S /T

The /S and /T switches don’t work against instances of Active Directory Lightweight Domain Services (AD LDS)—formerly known as AD Application Mode. For an AD LDS object, use the /resetDefaultDACL switch to reset permissions to the default in the discretionary ACL or /resetDefaultSACL for the system ACL.