We've royally messed up our permissions in Active Directory (AD). How can we get back to AD's default permissions and start again?
A Windows Support Tools command called Dsacls lets you configure AD permissions from the command line. The command
dsacls DC=Acme,DC=Com /S /T
would reset the permissions for the acme.com domain. The /S switch resets the specified object's permissions to the default ACL specified in AD's schema. The /T switch causes Dsacls to reset permissions for all the specified object's child objects. In other words, the Dsacls command with /S and /T will reset all permissions from the root of the specified domain down to the default permissions for each object's class to the value specified in the domain's schema. You can use Dsacls to modify an object's permissions any way you want—from adding or removing an access control entry (ACE) to replacing the ACE with permissions specified on the command line. For a full explanation of Dsacls parameters, type
dsacls /?
at the command prompt.