<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Error when the "dsacls" Command Is Run in PowerShell
Mar 17, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

When running the dsacls command in a PowerShell window with elevated permission, an error may be returned stating:

 

The term <term> is not recognized as the name of a cmdlet, function, script file, or operable program. 

 

While PowerShell and CMD commands are outside the scope of Okta Support, this article is provided as a best effort to assist by describing the root cause and solution to a common issue.

 

Here are two examples:

  1. dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;pwdLastSet;user

pwdLastSet : The term 'pwdLastSet' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

pwdLastSet error

 

  1. dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;lockoutTime;user

lockoutTime : The term 'lockoutTime' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

lockoutTime error

Applies To
  • Directories
  • Active Directory (AD)
  • PowerShell
Cause

The error is encountered if the dsacls command is executed from an elevated PowerShell prompt rather than from an elevated command prompt or if the command is executed on a server that does not have the Active Directory Domain Services Role installed.

Solution

The dsacls command is only available on a server with the Active Directory Domain Services role installed. Ensure the command is performed on a domain controller (DC).

  1. Run the command from an elevated command prompt. Open the command prompt as administrator to execute the dsacls command.

Examples:

    • dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;pwdLastSet;user
    • dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;lockoutTime;user
  1. If the command must be performed using PowerShell with elevated privileges, enclose the PermissionStatement syntax in double quotation marks.

Examples:

    • dsacls "OU=targetOU,DC=domain" /I:S /G "domain\agentserviceaccount:WP;pwdLastSet;user"
    • dsacls "OU=targetOU,DC=domain" /I:S /G "domain\agentserviceaccount:WP;lockoutTime;user"

 

Related References

Recommended content

Still looking for help?
Loading
Error when the "dsacls" Command Is Run in PowerShell