Re: Corrupted object in AD?
From: Lee Flight (lef_at_le.ac.uk-nospam)
Date: 08/04/04
- Next message: Loose Cannon: "Windows 2003 active DirectoryDomain Controller and ePolicy server"
- Previous message: Daryan: "RE: Random unknown account lockouts"
- In reply to: Dmitri Gavrilov [MSFT]: "Re: Corrupted object in AD?"
- Next in thread: Dmitri Gavrilov [MSFT]: "Re: Corrupted object in AD?"
- Reply: Dmitri Gavrilov [MSFT]: "Re: Corrupted object in AD?"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 4 Aug 2004 09:35:18 +0100
If I attempt to use /resetDefaultDACL with the ADAM version of dsacls
against an object in the AD I get:
C:\WINDOWS\ADAM>dsacls "cn=comp2,ou=TestOU,dc=test,dc=net" /resetDefaultDACL
Specified operation failed with ldap error:
00000538: AtrErr: DSID-03150896, #1:
0: 00000538: DSID-03150896, problem 1005 (CONSTRAINT_ATT_TYPE), data
0,
Att 20119 (nTSecurityDescriptor)
Constraint Violation
.
The parameter is incorrect.
The command failed to complete successfully.
Even for an object on which the W2k3 dsacls /S returns OK. /takenOwnership
and /resetDefaultSACL all work OK.
Thanks
Lee Flight
"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:eoduRSeeEHA.2544@TK2MSFTNGP10.phx.gbl...
> Interesting... I think I only now begin to understand why /S does not
> work,
> while /R does. /S tries to reset the permissions to the default SD from
> the
> schema. But that means it needs to read the objectClass first, and this is
> denied. That's where it gets the error ERROR_CURRENT_DIRECTORY (The
> directory cannot be removed). That's actually a bug -- it's actually
> getting
> LDAP_NO_SUCH_ATTRIBUTE and converts it to a win32 error. Dsacls /R reads
> the
> SD, and this is not denied for the owner of the object. Nor is writing the
> SD.
>
> That said, /resetDefaultDACL should have worked with ADAM's dsacls. This
> one
> does not attempt to read anything.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Patrick Moore" <patters98@hotmail.com> wrote in message
> news:289fdf4b.0408031232.14405dbb@posting.google.com...
>> I fixed it. The /S switch doesn't run if there is an Everyone:Deny
>> permission. I was able to remove this deny using:
>>
>> dsacls <object> /R Everyone
>>
>> at which point my problem was solved, since all the rest of the
>> permissions were as before and the correct Everyone permissions were
>> inherited from the parent object.
>>
>>
>> patters98@hotmail.com (Patrick Moore) wrote in message
> news:<289fdf4b.0408030650.1ef38d06@posting.google.com>...
>> > I have the same problem with a mail store object. Someone previously
>> > got in a mess with the Exchange permissions and it is currently
>> > preventing exmerge from running (it enumerates the stores on startup
>> > and quits).
>> >
>> > I have tried everything in this thread and used the ADAM version of
>> > dsacls.exe to no avail. I also get the "The directory cannot be
>> > removed" error when I try the /S command line. I managed to take
>> > ownership OK though. I have an Everyone:Deny All permission in there
>> > just like the original poster.
>> >
>> > Is there a solution to this?
>> >
>> > Thanks,
>> >
>> > Patrick
>> >
>> > "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
> news:<#NnjOMRZEHA.556@tk2msftngp13.phx.gbl>...
>> > > <DomainName>\Enterprise Admins is the correct default owner
>> > > for that object (at least for Ex2k3 in the domain I am looking at).
>> > >
>> > > Have you still got the deny Everyone permission in the DSACLS output
>> > > if not then you are OK aren't you?
>> > >
>> > > Lee Flight
>> > >
>> > >
>> > > "timg" <tim@deltacompsys.com> wrote in message
>> > > news:10eqofqjskket4b@corp.supernews.com...
>> > > > Thanx, I really appreciate the help! I downloaded the ADAM package
> and
>> > > > installed the administrator tools only. That gave me dsacls. I
>> > > > ran
> it to
>> > > > take ownership. Here is the command line copy...
>> > > >
>> > > > C:\WINDOWS\ADAM>dsacls "CN=All Users,CN=All Address
>> > > > Lists,CN=Address
> Lists
>> > > > Container,CN=DeltaMa
>> > > > il,CN=Microsoft
>> > > >
> Exchange,CN=Services,CN=Configuration,DC=delta,DC=deltacompsys,DC=com"
>> > > > /takeOwnership
>> > > >
>> > > > after dumping the ACLS it reported teh command completed
> successfully but
>> > > > the owner was not changed, DELTA\Enterprise Admins.
>> > > >
>> > > > I then tried running
>> > > >
>> > > > C:\WINDOWS\ADAM>dsacls "CN=All Users,CN=All Address
>> > > > Lists,CN=Address
> Lists
>> > > > Container,CN=DeltaMa
>> > > > il,CN=Microsoft
>> > > >
> Exchange,CN=Services,CN=Configuration,DC=delta,DC=deltacompsys,DC=com" /S
>> > > > The directory cannot be removed.
>> > > >
>> > > > The command failed to complete successfully.
>
>
- Next message: Loose Cannon: "Windows 2003 active DirectoryDomain Controller and ePolicy server"
- Previous message: Daryan: "RE: Random unknown account lockouts"
- In reply to: Dmitri Gavrilov [MSFT]: "Re: Corrupted object in AD?"
- Next in thread: Dmitri Gavrilov [MSFT]: "Re: Corrupted object in AD?"
- Reply: Dmitri Gavrilov [MSFT]: "Re: Corrupted object in AD?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
