Modifying AD Schema permissions from the command line
- by Ryan Roussel
Recently while making some changes for a client, I accidently dug myself into a pretty deep hole. I was trying to explicitly deny a certain user from reading a few group policies including the Default Domain Policy. When I went in to make the change I accidently denied Authenticated Users rather than the AD user object. This of course made the GPO inaccessible to all users including any with domain admin rights. The policy could no longer be modified in the GPMC and worse, changes could not be made through ADSIedit. The errors I was getting from inside ADSIedit when trying to edit the container looked like this This object has one or more property sheets currently open. Invalid path to object The only solution was to strip Authenticated Users from the container ACL completely in the schema, then re-add it back with the default read and apply rights. To perform this action, I used a command I had never used before: DSALCS.exe It’s part of the DSMOD group of tools. Since this command interacts with the actual schema, you have to know the full LDAP container or object name. In this case the GUID of the Default Domain Policy: {31B2F340-016D-11D2-945F-00C04FB984F9} The actual commands I ran looked like this: To display the current ACL of the container: c:\>dsacls “cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=Policies,cn=System, dc=domain,dc=com” /A To strip Authenticated Users from the ACL of the container: c:\>dsacls “cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=Policies,cn=System, dc=domain,dc=com” /R “NT Authority\Authenticated Users” For full reference of the DSACLS.EXE command visit: http://support.microsoft.com/kb/281146 Once the Authenticated Users was cleared from the ACL, I was able to use Group Policy Management Console to reassign the default permissions.
