My OperaPermission denied on an AD Object?
Friday, September 4, 2009 2:11:42 PM
Cause:
In this instance, Authenticated Users was denied Full Access on the AD Object, thus explicitly denying any kind of access to the object.
Solution:
- Assume ownership of the object using DSACLS:
DSACLS "dn of active directory object" /G domain name\useraccount:WO
Ex:
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Anyones Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Anyones-domaina,DC=internal" /G domain\administrator:WO
- Grant Rights to the object using DSACLS: (this will wipe the current DACLS and replace them with what you select")
DSACLS "dn of active directory object" /N /G domain name\useraccount:GA
Ex:
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Anyones Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Anyones-domaina,DC=internal" /N /G domain\administrator:GA
- Set the objects permissions back to the Schema Defaults:
DSACLS "dn of object" /S
Ex:
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Anyones Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Anyones-domaina,DC=internal" /S
- Inherit Permissions
Use ADSIEdit to re select the checkbox for Inherit Permissions
---------------------------------
Another Idea would be to start cmd in a local system account and then try with adsiedit.msc to get to the permissions to change it.
Just use this command (with a time that is one or two minutes in future):
at 16:30 /interactive cmd.exe
In the Title of the cmd it should be something like svchost.exe or simular
.
If no new cmd popups, then you are Probably via RDP on the Server without the /admin or /console mode. Close the connection, start mstsc and after the servername write the /admin or /console to access this mode. Then you would automatically see the cmd.
and then start adsiedit.msc
In this instance, Authenticated Users was denied Full Access on the AD Object, thus explicitly denying any kind of access to the object.
Solution:
- Assume ownership of the object using DSACLS:
DSACLS "dn of active directory object" /G domain name\useraccount:WO
Ex:
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Anyones Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Anyones-domaina,DC=internal" /G domain\administrator:WO
- Grant Rights to the object using DSACLS: (this will wipe the current DACLS and replace them with what you select")
DSACLS "dn of active directory object" /N /G domain name\useraccount:GA
Ex:
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Anyones Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Anyones-domaina,DC=internal" /N /G domain\administrator:GA
- Set the objects permissions back to the Schema Defaults:
DSACLS "dn of object" /S
Ex:
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Anyones Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Anyones-domaina,DC=internal" /S
- Inherit Permissions
Use ADSIEdit to re select the checkbox for Inherit Permissions
---------------------------------
Another Idea would be to start cmd in a local system account and then try with adsiedit.msc to get to the permissions to change it.
Just use this command (with a time that is one or two minutes in future):
at 16:30 /interactive cmd.exe
In the Title of the cmd it should be something like svchost.exe or simular
. If no new cmd popups, then you are Probably via RDP on the Server without the /admin or /console mode. Close the connection, start mstsc and after the servername write the /admin or /console to access this mode. Then you would automatically see the cmd.
and then start adsiedit.msc
(100%)