should be in the following forms: group@domain or domain\group user@domain or domain\user FQDN of the user or group A string ...

 should be in the following forms:                 group@domain or domain\group                 user@domain or domain\user                 FQDN of the user or group                 A string SID      should be in the following form:          [Permission bits];[Object/Property];[Inherited Object Type]          Permission bits can have the following values concatenated together:          Generic Permissions             GR      Generic Read             GE      Generic Execute             GW      Generic Write             GA      Generic All         Specific Permissions             SD      Delete             DT      Delete an object and all of it's children             RC      Read security information             WD      Change security information             WO      Change owner information             LC      List the children of an object              CC      Create child object             DC      Delete a child object                     For these two permissions, if [Object/Property] is                     not specified to define a specific child object type,                     they apply all types of child objects otherwise they                     apply to that specific child object type.              WS      Write To Self (also known as Validated Write). There                     are 3 kinds of validated writes:                        Self-Membership (bf9679c0-0de6-11d0-a285-00aa003049e2)                        applied to Group object. It allows updating membership                        of a group in terms of adding/removing to its own account.                      Example: (WS; bf9679c0-0de6-11d0-a285-00aa003049e2; AU)                     applied to group X, allows an Authenticated User to                      add/remove oneself to/from group X, but not anybody else.                        Validated-DNS-Host-Name (72e39547-7b18-11d1-adef-00c04fd8d5cd)                        applied to computer object. It allows updating the                         DNS host name attribute that is compliant with the                        computer name  domain name.                        Validated-SPN (f3a64788-5306-11d1-a9c5-0000f80367c1)                        applied to computer object: It allows updating the SPN                        attribute that is compliant to the DNS host name of the                        computer.             WP      Write property             RP      Read property                     For these two permissions, if [Object/Property] is not                     specified to define a specific property, they apply to                     all properties of the object otherwise they apply to that                     specific property of the object.              CA      Control access right                     For this permission, if [Object/Property] is not specified                     to define the specific "extended right" for control access,                     it applies to all control accesses meaningful on the                     object, otherwise it applies to the specific extended right                     for that object.              LO      List the object access.  Can be used to grant                     list access to a specific object if                     List Children (LC) is not granted to the parent as                     well can denied on specific objects to hide those objects                     if the user/group has LC on the parent.                     NOTE:  AD DS does NOT enforce this permission                     by default, it has to be configured to start checking for                     this permission.          [Object/Property]         must be the display name of the object type or the property.         for example "user" is the display name for user objects and         "telephone number" is the display name for telephone number property.          [Inherited Object Type]         must be the display name of the object type that the permissions         are expected to be inherited to. The permissions MUST be Inherit Only.          NOTE: This must only be used when defining object specific permissions         that override the default permissions defined in the AD DS schema for that         object type.  USE THIS WITH CAUTION and ONLY IF YOU UNDERSTAND object         specific permissions.           Examples of a valid  would be:          SDRCWDWO;;user         means:         Delete, Read security information, Change security information and         Change ownership permissions on objects of type "user".           CCDC;group;         means:         Create child and Delete child permissions to create/delete objects         of type group.          RPWP;telephonenumber;         means:         read property and write property permissions on telephone number         property  You can specify more than one user in a command.