Microsoft Knowledge Base Article 281146 contains the following summary:
This article describes how to use the Dsacls.exe tool (Dsacls.exe) to manage access control lists (ACLs) for directory services in Windows 2000. Dsacls.exe is a command-line tool that you can use to query and change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows 2000 Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.
Dsacls.exe is included with the Windows 2000 Support Tools. To install the Support Tools, run Setup.exe from the Support\Tools folder on the Windows 2000 Server CD-ROM.
You can use Dsacls.exe and another Windows 2000 Support Tool, ACL Diagnostics (Acldiag.exe), to provide security configuration and diagnosis functionality on Active Directory objects from the command prompt.
Important Do not use Dsacls.exe to modify permissions if you have implemented a Hosting solution such as Windows-based Hosting, High Volume Exchange (HVE), Hosted Messaging and Collaboration, or Hosted Exchange, or if the customer is using Microsoft Provisioning Service. The Hosting solutions depend on specific security model to isolate the ISP's customers from each other.