diff --git a/opendj-doc-generated-ref/src/main/docbkx/admin-guide/chap-privileges-acis.xml b/opendj-doc-generated-ref/src/main/docbkx/admin-guide/chap-privileges-acis.xml
index d483961d89..2ae66f1423 100644
--- a/opendj-doc-generated-ref/src/main/docbkx/admin-guide/chap-privileges-acis.xml
+++ b/opendj-doc-generated-ref/src/main/docbkx/admin-guide/chap-privileges-acis.xml
@@ -1201,19 +1201,25 @@ The LDAP password modify operation was successful
example if you use it as the basis for your script.
$ dsconfig \
- set-access-control-handler-prop \
- --remove global-aci:\(targetattr!=\"userPassword\|\|authPassword\|\|changes\|\
-\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\
-\|newSuperior\|\|deleteOldRDN\|\|targetEntryUUID\|\|changeInitiatorsName\|\
-\|changeLogCookie\|\|includedAttributes\"\)\(version\ 3.0\;\ acl\ \"Anonymous\
-\ read\ access\"\;\ allow\ \(read,search,compare\)\
-\ userdn=\"ldap:///anyone\"\;\)\
- --hostname opendj.example.com \
- --port 4444 \
- --bindDN cn=Directory\ Manager \
- --bindPassword password \
- --trustAll \
- --no-prompt
+set-access-control-handler-prop \
+--remove=global-aci:'(targetattr!="userPassword||authPassword||changes||
+changeNumber||changeType||changeTime||targetDN||newRDN||
+newSuperior||deleteOldRDN||targetEntryUUID||changeInitiatorsName||
+changeLogCookie||includedAttributes")(version 3.0; acl "Anonymous
+ read access"; allow (read,search,compare) userdn="ldap:///anyone";)' \
+--hostname=opendj.example.com \
+--port=4444 \
+--bindDN=cn=Directory\ Manager \
+--bindPassword=password \
+--trustAll \
+--no-prompt
+
+ The above command sequence utilizes single quote encapsulation
+ of the "global-aci" value. This is simply to avoid
+ the need for extensive character escapes. If the quotes are removed,
+ the user will need to manually escape certain characters, such as pipe
+ (|) or exclamation points (!) to
+ avoid shell errors.
If the global-aci does not match the ACI exactly
then the command fails to remove the value. An alternative approach is to