"Deleted Objects" container permissions

Discussion:

(too old to reply)

Paul B

2007-05-18 03:21:00 UTC

Using the dsacls.exe tool from ADAM SP1, I am trying to view the permissions
of the domains "Deleted Objects" container. Logged on w/ an account in the
Domain Admins group, I type the following at the command line C:\dsacls.exe
"CN=Deleted Objects,DC=domain,DC=com". The response I get is "Insufficient
access rights to perform the operation. The command failed to complete
successfully." Using the same account, I am able to bind to the container
using ldp.exe

I have poured over the internet to find a possible cause/solution but keep
coming up empty. The reason I want to do this is to allow a service account
to read the contents.

Any assistance is greatly appriciated.

Paul

Ashish

2007-05-18 13:14:02 UTC

Permalink

You mentioned that you are using the folloing command line:

C:\dsacls.exe "CN=Deleted Objects,DC=domain,DC=com"

Are you using the correct domin name here?

Also, if the distinguished name is correct, then use /a and see if you can
view the permissions.

Regards,

Ashish

Post by Paul B
Using the dsacls.exe tool from ADAM SP1, I am trying to view the permissions
of the domains "Deleted Objects" container. Logged on w/ an account in the
Domain Admins group, I type the following at the command line C:\dsacls.exe
"CN=Deleted Objects,DC=domain,DC=com". The response I get is "Insufficient
access rights to perform the operation. The command failed to complete
successfully." Using the same account, I am able to bind to the container
using ldp.exe
I have poured over the internet to find a possible cause/solution but keep
coming up empty. The reason I want to do this is to allow a service account
to read the contents.
Any assistance is greatly appriciated.
Paul

Ashish

2007-05-18 13:16:02 UTC

Permalink

You mentioned that you used the folloing command:

C:\dsacls.exe "CN=Deleted Objects,DC=domain,DC=com".

Are you using the correct domain name?

If yes, and the distinguish name is correct then use /a switch and see if
you get the results.

http://support.microsoft.com/kb/281146

Regards,

Ashish

Ashish

2007-05-18 13:17:01 UTC

Permalink

Paul B

2007-05-18 15:53:00 UTC

Permalink

Ashish,

To the best of my knowledge, the DN is correct as I did not put the actual
domain info. I also used the /a switch as you suggested but received the
same result. No matter what account I use that has Administrator privs, I
get the same error.

How can I verify what the DN actually is? I am using the same path as if I
where looking at in via ldp tree. Is it case sensitive?

Paul

Harj

2007-05-18 16:10:12 UTC

Permalink

Post by Paul B
Ashish,
To the best of my knowledge, the DN is correct as I did not put the actual
domain info. I also used the /a switch as you suggested but received the
same result. No matter what account I use that has Administrator privs, I
get the same error.
How can I verify what the DN actually is? I am using the same path as if I
where looking at in via ldp tree. Is it case sensitive?
Paul

Hi,

Post by Paul B
From a machine that has Windows Support tools installed on, open up

ADSIedit and rightclick the container in question.

Post by Paul B
From the properties tab, look for the distinguished name attribute.

You should copy this value and run the tool again.

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

Paul Bergson [MVP-DS]

2007-05-18 16:26:27 UTC

Permalink

You would have to use LDP to see this object. I don't believe it is visible
thru ADSIEdit.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by Harj

Hi,

Post by Paul B
From a machine that has Windows Support tools installed on, open up

ADSIedit and rightclick the container in question.

Post by Paul B
From the properties tab, look for the distinguished name attribute.

You should copy this value and run the tool again.
Good luck
Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

Paul B

2007-05-18 21:16:00 UTC

Permalink

Gentlemen,

Binding to the Deleted Objects container via ldp.exe. I right click on the
tree view and go to Advanced > Security Descriptor. Below is the result
returned in the results pane. I am no rocket scientist, but is this normal?

***Calling Security...
Error: Security: No Such Attribute. <16>
Server error: <empty>

Joe Richards [MVP]

2007-05-19 14:29:19 UTC

Permalink

Yes that is normal, the ACL by default doesn't allow administrators to
view it.

Why do you need to? You don't need to see that ACL to work with deleted
objects.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Post by Paul B
Gentlemen,
Binding to the Deleted Objects container via ldp.exe. I right click on the
tree view and go to Advanced > Security Descriptor. Below is the result
returned in the results pane. I am no rocket scientist, but is this normal?
***Calling Security...
Error: Security: No Such Attribute. <16>
Server error: <empty>

Paul B

2007-05-20 21:48:00 UTC

Permalink

Joe,

My purpose is to all a NetIQ DRA service account from one domain to view the
contents in another domain for the purpose of account refresh actions.
NetIQ's docs state that I must have perms to this container to all that. i
wanted to view the existing ACL before commiting changes. I must have been
mistakenly thinking that since I cannot see the ACL, I cannot modify it. Is
there any way to view it's ACL?

Paul

Paul B

2007-05-21 18:54:01 UTC

Permalink

To All,

I have resolved this issue. Unfortunately I neglected to read thoroughly
Article ID : 892806 where it instructs to use the /takeownership switch.
Once I did that, I was able to read the permissions and make the config
changes. Thank you to all who helped.

Paul

Joe Richards [MVP]

2007-05-22 00:40:49 UTC

Permalink

The very act of taking ownership changes the Security Descriptor, by
definition.

It can be viewed without going through this but it isn't needed now. If
I recall DRA was a pretty low level tool that needed extensive rights,
was there a reason to just not give it administrator rights?

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Post by Paul B
To All,
I have resolved this issue. Unfortunately I neglected to read thoroughly
Article ID : 892806 where it instructs to use the /takeownership switch.
Once I did that, I was able to read the permissions and make the config
changes. Thank you to all who helped.
Paul

Continue reading on narkive:

Search results for '"Deleted Objects" container permissions' (Questions and Answers)

replies

when i click play now on runescape it says error!!!!?

started 2009-08-17 06:28:42 UTC

video & online games

replies

I can't delete a file, help!?

started 2009-07-09 09:30:13 UTC

software

replies

google keeps saying access denied!?!?!?