Modifying AD Schema permissions from the command line
Posted
by Ryan Roussel
on Geeks with Blogs
See other posts from Geeks with Blogs
or by Ryan Roussel
Published on Fri, 05 Mar 2010 22:00:00 GMT
Indexed on
2010/03/07
23:28 UTC
Read the original article
Hit count: 1106
Recently while making some changes for a client, I accidently dug myself into a pretty deep hole. I was trying to explicitly deny a certain user from reading a few group policies including the Default Domain Policy. When I went in to make the change I accidently denied Authenticated Users rather than the AD user object. This of course made the GPO inaccessible to all users including any with domain admin rights. The policy could no longer be modified in the GPMC and worse, changes could not be made through ADSIedit.
The errors I was getting from inside ADSIedit when trying to edit the container looked like this
This object has one or more property sheets currently open.
Invalid path to object
The only solution was to strip Authenticated Users from the container ACL completely in the schema, then re-add it back with the default read and apply rights. To perform this action, I used a command I had never used before: DSALCS.exe It’s part of the DSMOD group of tools. Since this command interacts with the actual schema, you have to know the full LDAP container or object name. In this case the GUID of the Default Domain Policy: {31B2F340-016D-11D2-945F-00C04FB984F9}
The actual commands I ran looked like this:
To display the current ACL of the container:
c:\>dsacls “cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=Policies,cn=System, dc=domain,dc=com” /A |
To strip Authenticated Users from the ACL of the container:
c:\>dsacls “cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=Policies,cn=System, dc=domain,dc=com” /R “NT Authority\Authenticated Users” |
For full reference of the DSACLS.EXE command visit:
http://support.microsoft.com/kb/281146
Once the Authenticated Users was cleared from the ACL, I was able to use Group Policy Management Console to reassign the default permissions.
© Geeks with Blogs or respective owner