A blog with focus on experiences with the Windows Client operating systems…
RSS icon Email icon Home icon

  • Restore permissions on objects in Active Directory

    Posted on June 14th, 2009 By Andreas Stenhall + No comments

    Some time ago I had the unfortunate job to do some manual cleaning of an old and since long disconnected (and not decommissioned) Exchange Server in Active Directory using adsiedit.msc and this is not something one want to do I can promise you. Anyway during the testing phase I had to make sure that certain keys and values in adsiedit.msc were safe to be deleted and to accomplish this I removed all permissions on the keys to make sure that no one could read the information. You might think that restoring the permissions on objects in adsiedit.msc is the same as the management with file and folders but that is not the fact.

    Instead use the command DSACLS to control the access control lists of Active Directory objects and run for example the following command to let the group Everyone get full permission on the object “First administrative group”.

    DSACLS "CN=First Administrative Group,CN=Administrative groups,CN=CONTOSO,
    CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CONTOSO,DC=LOCAL"
    /G Everyone:GA

    Beware when working in adsiedit.msc and be very certain about what you are doing before deleting stuff. Sometimes just removing all permissions on objects is the best way because then you can always use the above command to restore permission to the object(s).