DsAcls.exe and Acldiag.exe are just two of the Windows 2000 Support Tools, which are installed from the Support\Tools folder on the Windows 2000 Professional or Windows 2000 Server CD-ROM.

DsAcls (Dsacls.exe)

"This tool facilitates management of access control lists (ACLs) for directory services. DsAcls enables you to query and manipulate security attributes on Active Directory objects. It is the command-line equivalent of the Security page on various Active Directory snap-in tools.

Along with Acldiag.exe: ACL Diagnostics, another Windows 2000 Support Tool, DsAcls provides security configuration and diagnosis functionality on Active Directory objects from the command prompt."

ACL Diagnostics (Acldiag.exe)

"This command-line tool helps diagnose and troubleshoot problems with permissions on Active Directory objects. It reads security attributes from access control lists (ACLs) and writes information in either readable or tab-delimited format. The latter can be uploaded into a text file for searches on particular permissions, users, or groups, or into a spreadsheet or database for reporting. The tool also provides some simple cleanup functionality.

With AclDiag, you can:

Compare the ACL on a directory services object to the permissions defined in the schema defaults.

Check or fix standard delegations performed using templates from the Delegation of Control wizard in the Active Directory Users and Computers snap-in, a Windows 2000 administrative tool.

Get effective permissions granted to a specific user or group, or to all users and groups that show up in the ACL.

AclDiag displays only the permissions of objects the user has the right to view. Because Group Policy objects are virtual objects that have no distinguished name, this tool cannot be used on them.

For general-purpose ACL reporting and setting from the command prompt, you can also use Dsacls.exe, another Windows 2000 Support Tool."