Re: Corrupted object in AD?
From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 08/05/04
- Next message: Anthony: "Re: deleted DSA still there..."
- Previous message: Arild Bakken: "Re: Finding mailbox size"
- In reply to: Lee Flight: "Re: Corrupted object in AD?"
- Next in thread: Patrick Moore: "Re: Corrupted object in AD?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 5 Aug 2004 02:01:17 -0700
Thanks guys. I apologize, /resetDefaultDACL and /resetDefaultSACL only work
in ADAM now. I added this so long ago, I thought it was also in w2k3. But it
is not. It should be in Longhorn though.
The idea is to tell DS that you are setting the DACL (or SACL) via SD flags
control, but pass in an SD value without DACL (SACL) present. That would
indicate the intention to reset to default, to be performed on the server,
which is a more correct way than expanding the SDDL string on the client
(that's how /S works). So, this server-side reset currently works for ADAM
only.
BTW, both AD and ADAM support this functionality for OWNER field. Thus, if
you pass SD flags as 1 but your SD does not have an owner, then AD will
invoke the "SetDefaultOwner" procedure.
/takenOwnership should be /takeOwnership. Only the help text is wrong, the
actual flag is /takeOwnership. And they don't have to be upper-case, at
least not in ADAM's version of dsacls. I fixed the help text in ADAM SP1.
-- Dmitri Gavrilov SDE, Active Directory Core This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Lee Flight" <lef@le.ac.uk-nospam> wrote in message news:#PxDr3feEHA.724@TK2MSFTNGP10.phx.gbl... > If I attempt to use /resetDefaultDACL with the ADAM version of dsacls > against an object in the AD I get: > > C:\WINDOWS\ADAM>dsacls "cn=comp2,ou=TestOU,dc=test,dc=net" /resetDefaultDACL > > Specified operation failed with ldap error: > 00000538: AtrErr: DSID-03150896, #1: > 0: 00000538: DSID-03150896, problem 1005 (CONSTRAINT_ATT_TYPE), data > 0, > Att 20119 (nTSecurityDescriptor) > > Constraint Violation > . > The parameter is incorrect. > > The command failed to complete successfully. > > Even for an object on which the W2k3 dsacls /S returns OK. /takenOwnership > and /resetDefaultSACL all work OK. > > Thanks > Lee Flight > > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message > news:eoduRSeeEHA.2544@TK2MSFTNGP10.phx.gbl... > > Interesting... I think I only now begin to understand why /S does not > > work, > > while /R does. /S tries to reset the permissions to the default SD from > > the > > schema. But that means it needs to read the objectClass first, and this is > > denied. That's where it gets the error ERROR_CURRENT_DIRECTORY (The > > directory cannot be removed). That's actually a bug -- it's actually > > getting > > LDAP_NO_SUCH_ATTRIBUTE and converts it to a win32 error. Dsacls /R reads > > the > > SD, and this is not denied for the owner of the object. Nor is writing the > > SD. > > > > That said, /resetDefaultDACL should have worked with ADAM's dsacls. This > > one > > does not attempt to read anything. > > > > -- > > Dmitri Gavrilov > > SDE, Active Directory Core > > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > Use of included script samples are subject to the terms specified at > > http://www.microsoft.com/info/cpyright.htm > > > > "Patrick Moore" <patters98@hotmail.com> wrote in message > > news:289fdf4b.0408031232.14405dbb@posting.google.com... > >> I fixed it. The /S switch doesn't run if there is an Everyone:Deny > >> permission. I was able to remove this deny using: > >> > >> dsacls <object> /R Everyone > >> > >> at which point my problem was solved, since all the rest of the > >> permissions were as before and the correct Everyone permissions were > >> inherited from the parent object. > >> > >> > >> patters98@hotmail.com (Patrick Moore) wrote in message > > news:<289fdf4b.0408030650.1ef38d06@posting.google.com>... > >> > I have the same problem with a mail store object. Someone previously > >> > got in a mess with the Exchange permissions and it is currently > >> > preventing exmerge from running (it enumerates the stores on startup > >> > and quits). > >> > > >> > I have tried everything in this thread and used the ADAM version of > >> > dsacls.exe to no avail. I also get the "The directory cannot be > >> > removed" error when I try the /S command line. I managed to take > >> > ownership OK though. I have an Everyone:Deny All permission in there > >> > just like the original poster. > >> > > >> > Is there a solution to this? > >> > > >> > Thanks, > >> > > >> > Patrick > >> > > >> > "Lee Flight" <lef@le.ac.uk-nospam> wrote in message > > news:<#NnjOMRZEHA.556@tk2msftngp13.phx.gbl>... > >> > > <DomainName>\Enterprise Admins is the correct default owner > >> > > for that object (at least for Ex2k3 in the domain I am looking at). > >> > > > >> > > Have you still got the deny Everyone permission in the DSACLS output > >> > > if not then you are OK aren't you? > >> > > > >> > > Lee Flight > >> > > > >> > > > >> > > "timg" <tim@deltacompsys.com> wrote in message > >> > > news:10eqofqjskket4b@corp.supernews.com... > >> > > > Thanx, I really appreciate the help! I downloaded the ADAM package > > and > >> > > > installed the administrator tools only. That gave me dsacls. I > >> > > > ran > > it to > >> > > > take ownership. Here is the command line copy... > >> > > > > >> > > > C:\WINDOWS\ADAM>dsacls "CN=All Users,CN=All Address > >> > > > Lists,CN=Address > > Lists > >> > > > Container,CN=DeltaMa > >> > > > il,CN=Microsoft > >> > > > > > Exchange,CN=Services,CN=Configuration,DC=delta,DC=deltacompsys,DC=com" > >> > > > /takeOwnership > >> > > > > >> > > > after dumping the ACLS it reported teh command completed > > successfully but > >> > > > the owner was not changed, DELTA\Enterprise Admins. > >> > > > > >> > > > I then tried running > >> > > > > >> > > > C:\WINDOWS\ADAM>dsacls "CN=All Users,CN=All Address > >> > > > Lists,CN=Address > > Lists > >> > > > Container,CN=DeltaMa > >> > > > il,CN=Microsoft > >> > > > > > Exchange,CN=Services,CN=Configuration,DC=delta,DC=deltacompsys,DC=com" /S > >> > > > The directory cannot be removed. > >> > > > > >> > > > The command failed to complete successfully. > > > > > >
- Next message: Anthony: "Re: deleted DSA still there..."
- Previous message: Arild Bakken: "Re: Finding mailbox size"
- In reply to: Lee Flight: "Re: Corrupted object in AD?"
- Next in thread: Patrick Moore: "Re: Corrupted object in AD?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
