Re: Corrupted object in AD?

From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 08/04/04 

Date: Tue, 3 Aug 2004 22:33:15 -0700

Interesting... I think I only now begin to understand why /S does not work,
while /R does. /S tries to reset the permissions to the default SD from the
schema. But that means it needs to read the objectClass first, and this is
denied. That's where it gets the error ERROR_CURRENT_DIRECTORY (The
directory cannot be removed). That's actually a bug -- it's actually getting
LDAP_NO_SUCH_ATTRIBUTE and converts it to a win32 error. Dsacls /R reads the
SD, and this is not denied for the owner of the object. Nor is writing the
SD.

That said, /resetDefaultDACL should have worked with ADAM's dsacls. This one
does not attempt to read anything. 

-- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Patrick Moore" <patters98@hotmail.com> wrote in message
news:289fdf4b.0408031232.14405dbb@posting.google.com...
> I fixed it. The /S switch doesn't run if there is an Everyone:Deny
> permission. I was able to remove this deny using:
>
> dsacls <object> /R Everyone
>
> at which point my problem was solved, since all the rest of the
> permissions were as before and the correct Everyone permissions were
> inherited from the parent object.
>
>
> patters98@hotmail.com (Patrick Moore) wrote in message
news:<289fdf4b.0408030650.1ef38d06@posting.google.com>...
> > I have the same problem with a mail store object. Someone previously
> > got in a mess with the Exchange permissions and it is currently
> > preventing exmerge from running (it enumerates the stores on startup
> > and quits).
> >
> > I have tried everything in this thread and used the ADAM version of
> > dsacls.exe to no avail. I also get the "The directory cannot be
> > removed" error when I try the /S command line. I managed to take
> > ownership OK though. I have an Everyone:Deny All permission in there
> > just like the original poster.
> >
> > Is there a solution to this?
> >
> > Thanks,
> >
> > Patrick
> >
> > "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
news:<#NnjOMRZEHA.556@tk2msftngp13.phx.gbl>...
> > > <DomainName>\Enterprise Admins is the correct default owner
> > > for that object (at least for Ex2k3 in the domain I am looking at).
> > >
> > > Have you still got the deny Everyone permission in the DSACLS output
> > > if not then you are OK aren't you?
> > >
> > > Lee Flight
> > >
> > >
> > > "timg" <tim@deltacompsys.com> wrote in message
> > > news:10eqofqjskket4b@corp.supernews.com...
> > > > Thanx, I really appreciate the help!  I downloaded the ADAM package
and
> > > > installed the administrator tools only.  That gave me dsacls.  I ran
it to
> > > > take ownership.  Here is the command line copy...
> > > >
> > > > C:\WINDOWS\ADAM>dsacls "CN=All Users,CN=All Address Lists,CN=Address
Lists
> > > > Container,CN=DeltaMa
> > > > il,CN=Microsoft
> > > >
Exchange,CN=Services,CN=Configuration,DC=delta,DC=deltacompsys,DC=com"
> > > > /takeOwnership
> > > >
> > > > after dumping the ACLS it reported teh command completed
successfully but
> > > > the owner was not changed, DELTA\Enterprise Admins.
> > > >
> > > > I then tried running
> > > >
> > > > C:\WINDOWS\ADAM>dsacls "CN=All Users,CN=All Address Lists,CN=Address
Lists
> > > > Container,CN=DeltaMa
> > > > il,CN=Microsoft
> > > >
Exchange,CN=Services,CN=Configuration,DC=delta,DC=deltacompsys,DC=com" /S
> > > > The directory cannot be removed.
> > > >
> > > > The command failed to complete successfully.

Relevant Pages

  • Re: Delegation in AD not working
    ... That is why I wanted dsacls, it is the most accurate display of what is going on ... permissions tab so anything applied to an OU will not impact one of these IDs ... > CHILD ...
    (microsoft.public.win2000.active_directory)
  • Re: Audit exchange 2000 permission
    ... You can use ADSIedit (or AD Users and Computers snap-in in "Advanced" mode, ... are laid out and you can then look at permissions on each object. ... allows you to specify a given object in the AD (such as the Exchange ... commands into DSACLS. ...
    (microsoft.public.exchange2000.general)
  • Re: Win2k - Account Operator not working properly
    ... Verified new user has no special group memberships (only default ... Verified that the new user account can modify objects at the top level OU ... Ran DSACLS on the top level OU and received the following output (only ... are there some required permissions missing? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation in AD not working
    ... but the dsacls in no way looks like the ... Advance tap in Security: ... {This object is protected from inheriting permissions from ... Effective Permissions on this object are: ...
    (microsoft.public.win2000.active_directory)
  • Re: Corrupted object in AD?
    ... If I attempt to use /resetDefaultDACL with the ADAM version of dsacls ... Specified operation failed with ldap error: ... >> permissions were as before and the correct Everyone permissions were ...
    (microsoft.public.windows.server.active_directory)