Re: Corrupted object in AD?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Patrick Moore (patters98_at_hotmail.com)
Date: 08/04/04 

Date: 4 Aug 2004 06:20:07 -0700

I've just noticed that I dropped the ADAM dsacls into a folder in the
path on my workstation. However I forgot that I have the Windows 2003
Support Tools on my PC and therefore I have the older version on my
system too. It's probable that I ran the wrong one.

They both have a typo in the help for the /takeOwnership
(takenOwnership) and it's not clear that they expect all options to be
in uppercase only.

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message news:<eoduRSeeEHA.2544@TK2MSFTNGP10.phx.gbl>...
> Interesting... I think I only now begin to understand why /S does not work,
> while /R does. /S tries to reset the permissions to the default SD from the
> schema. But that means it needs to read the objectClass first, and this is
> denied. That's where it gets the error ERROR_CURRENT_DIRECTORY (The
> directory cannot be removed). That's actually a bug -- it's actually getting
> LDAP_NO_SUCH_ATTRIBUTE and converts it to a win32 error. Dsacls /R reads the
> SD, and this is not denied for the owner of the object. Nor is writing the
> SD.
>
> That said, /resetDefaultDACL should have worked with ADAM's dsacls. This one
> does not attempt to read anything.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Patrick Moore" <patters98@hotmail.com> wrote in message
> news:289fdf4b.0408031232.14405dbb@posting.google.com...
> > I fixed it. The /S switch doesn't run if there is an Everyone:Deny
> > permission. I was able to remove this deny using:
> >
> > dsacls <object> /R Everyone
> >
> > at which point my problem was solved, since all the rest of the
> > permissions were as before and the correct Everyone permissions were
> > inherited from the parent object.
> >
> >
> > patters98@hotmail.com (Patrick Moore) wrote in message
> news:<289fdf4b.0408030650.1ef38d06@posting.google.com>...
> > > I have the same problem with a mail store object. Someone previously
> > > got in a mess with the Exchange permissions and it is currently
> > > preventing exmerge from running (it enumerates the stores on startup
> > > and quits).
> > >
> > > I have tried everything in this thread and used the ADAM version of
> > > dsacls.exe to no avail. I also get the "The directory cannot be
> > > removed" error when I try the /S command line. I managed to take
> > > ownership OK though. I have an Everyone:Deny All permission in there
> > > just like the original poster.
> > >
> > > Is there a solution to this?
> > >
> > > Thanks,
> > >
> > > Patrick
> > >
> > > "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
> news:<#NnjOMRZEHA.556@tk2msftngp13.phx.gbl>...
> > > > <DomainName>\Enterprise Admins is the correct default owner
> > > > for that object (at least for Ex2k3 in the domain I am looking at).
> > > >
> > > > Have you still got the deny Everyone permission in the DSACLS output
> > > > if not then you are OK aren't you?
> > > >
> > > > Lee Flight
> > > >
> > > >
> > > > "timg" <tim@deltacompsys.com> wrote in message
> > > > news:10eqofqjskket4b@corp.supernews.com...
> > > > > Thanx, I really appreciate the help! I downloaded the ADAM package
> and
> > > > > installed the administrator tools only. That gave me dsacls. I ran
> it to
> > > > > take ownership. Here is the command line copy...
> > > > >
> > > > > C:\WINDOWS\ADAM>dsacls "CN=All Users,CN=All Address Lists,CN=Address
> Lists
> > > > > Container,CN=DeltaMa
> > > > > il,CN=Microsoft
> > > > >
> Exchange,CN=Services,CN=Configuration,DC=delta,DC=deltacompsys,DC=com"
> > > > > /takeOwnership
> > > > >
> > > > > after dumping the ACLS it reported teh command completed
> successfully but
> > > > > the owner was not changed, DELTA\Enterprise Admins.
> > > > >
> > > > > I then tried running
> > > > >
> > > > > C:\WINDOWS\ADAM>dsacls "CN=All Users,CN=All Address Lists,CN=Address
> Lists
> > > > > Container,CN=DeltaMa
> > > > > il,CN=Microsoft
> > > > >
> Exchange,CN=Services,CN=Configuration,DC=delta,DC=deltacompsys,DC=com" /S
> > > > > The directory cannot be removed.
> > > > >
> > > > > The command failed to complete successfully.