Acldiag Syntax

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Acldiag Syntax

Acldiag Overview | Acldiag Remarks | Acldiag Syntax | Acldiag Examples

Art ImageacldiagObjectDN [/schema] [/chkdeleg] [/geteffective:{User | Group | *}] [/fixdeleg] [/skip] [/tdo]



  • If you specify an object without additional parameters, AclDiag lists the access control entries (ACEs) in the ACL, and inheritance and audit settings.
    Identifies the Active Directory object to investigate. Enter the LDAP URL for an object in Active Directory. The LDAP URL format consists of the name of the LDAP server followed by the distinguished name of the object. The string must be enclosed in quotation marks. For example: "LDAP:// Admin,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"
  • ****/geteffective:{User | Group | *}
    Adds an effective rights diagnosis to the display. The effective rights diagnosis displays the effective permissions to the object held by specified users or groups. Effective permissions are the permissions that are enforced after precedence is applied and conflicts in rights are resolved.

    Value Description

    User | Group

    Displays the effective permissions held by the specified user or group.


    Displays the effective permissions of all users and groups in the access control list (ACL) for the object.

  • /schema
    Adds a schema diagnosis to the display. The schema diagnosis reports whether the object ACL includes the ACEs that are in the schema defaults.
  • /chkdeleg
    Adds a delegation diagnosis to the display. The delegation diagnosis reports whether the object ACL includes the ACEs that are in the delegation template. A status of misconfigured indicates that at least one, but not all, ACEs in a delegation template (and in the schema default) are included in the ACL.
  • /fixdeleg
    Directs AclDiag to reapply the delegation template to the object ACL, eliminating special permissions and restoring incomplete delegations. When the specified object inherits delegated permissions, this parameter reapplies the delegation template to the object for which the delegated permissions are explicitly defined. The /fixdeleg parameter is interactive, it gives the user an opportunity to fix each misconfigured delegation. Note
    • This parameter is effective only when used with the /chkdeleg parameter. Without /chkdeleg, /fixdeleg is ignored, but AclDiag does not report an error.
  • /skip
    Omits the security description from the display. The security description is a list of the ACEs in the object ACL.
  • /tdo
    Displays output in tab-delimited format. Fixed-width format is the default. Tab-delimited format is useful when the output is destined for a database or spreadsheet.

See Also


Acldiag Overview
Acldiag Remarks
Acldiag Examples
Alphabetical List of Tools
Search Overview
Replmon Overview
Repadmin Overview
Ldp Overview
Dsastat Overview
Clonepr Overview
ADSI Edit (adsiedit.msc)