P
Pete Lillington
I'm currently troubleshooting a sick AD installation, and
am having problems with AD ACLs. The default permissions
on objects have been modified, so for instance a DC
object will have the same restrictive permissions you'd
see on the 'administrator' user. The upshot of that is
that you cannot delete a DC object until you reset the
ACL. This, by itself, does not cause me a problem as I
can easily reset ACLs.
However, what is happening is that within the hour of ACL
getting changed by me, it gets reset to the old
restrictive ACL. Having done some (a lot) of digging,
using Repl mon and other tools, it has become apparent
that whatever DC holds the PDCE FSMO role does the reset.
The question is, why? This is not standard PDCE
behaviour, as far as I am aware!
The AD environment in question is single mixed mode
domain, W2K SP2/3. GPO is sick, secedit has been run in
the past on the whole domain because of sec corruptions.
I'm toying with the idea of fragging the whole domain and
simply starting again. Any ideas would be welcome.
Thanks.
am having problems with AD ACLs. The default permissions
on objects have been modified, so for instance a DC
object will have the same restrictive permissions you'd
see on the 'administrator' user. The upshot of that is
that you cannot delete a DC object until you reset the
ACL. This, by itself, does not cause me a problem as I
can easily reset ACLs.
However, what is happening is that within the hour of ACL
getting changed by me, it gets reset to the old
restrictive ACL. Having done some (a lot) of digging,
using Repl mon and other tools, it has become apparent
that whatever DC holds the PDCE FSMO role does the reset.
The question is, why? This is not standard PDCE
behaviour, as far as I am aware!
The AD environment in question is single mixed mode
domain, W2K SP2/3. GPO is sick, secedit has been run in
the past on the whole domain because of sec corruptions.
I'm toying with the idea of fragging the whole domain and
simply starting again. Any ideas would be welcome.
Thanks.