Re: Corrupted object in AD?

From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 07/07/04

Next message: Jonathan Cossio: "Re: User log on lock out policy does not function correctly in 2003"
Previous message: Hazman: "Adding software through Group Policy"
In reply to: timg: "Corrupted object in AD?"
Next in thread: timg: "Re: Corrupted object in AD?"
Reply: timg: "Re: Corrupted object in AD?"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 7 Jul 2004 10:12:24 -0700

Deny everyone means deny everyone, including you. You shot yourself in the
foot. To get out, you should reset the DACL to the default. You can use
dsacls /S to do this.

If you don't own the object, then this won't work. In this case, get ADAM
and use ADAM's version of dsacls. It has /takeOwnership switch that lets you
take ownership, which should give you WRITE_DAC control and you will be able
to update the DACL.

-- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"timg" <tim@deltacompsys.com> wrote in message
news:10eo71d4ct6vf26@corp.supernews.com...
> I have an exchange object in my Active Directory which appears to be
> corrupt.  At this point I cannot even delete the object.  It is an address
> list from Exchange.  I changed the permissions on the object to "deny"
> everyone so that the address list would not appear as a possible address
> list.
>
> When I view the object from ADSIEdit it no longer has a "class" type and
> when I select "properties" I get an error "an invalid directory pathname
was
> passed".  When I attempt to delete the object from ADSIEdit I get another
> error "The specified directory service attribute or value does not exist".
>
> I'm stuck at this point.  Any suggestions?  Thanx!
>
>

Next message: Jonathan Cossio: "Re: User log on lock out policy does not function correctly in 2003"
Previous message: Hazman: "Adding software through Group Policy"
In reply to: timg: "Corrupted object in AD?"
Next in thread: timg: "Re: Corrupted object in AD?"
Reply: timg: "Re: Corrupted object in AD?"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: how to restrict users to search in their own Organizational Unit
... To deny that right you must create a security group and deny read permission, then add the users to that security group. ... Active Directory, then he can see all users in Active Directory. ...
(microsoft.public.windows.server.active_directory)
Re: Deny specific user
... An explicit deny overrules any grant, which is effective for the object ... if anything inheriting permissions from where you place the deny has ... subfolders on a w2k server active directory? ...
(microsoft.public.win2000.security)
Re: Permissions to see items in Mailbox?
... you can modify the active directory to remove the deny. ... > I have a problem with the rights of my exchange server. ... > the admin account, ...
(microsoft.public.exchange.admin)