Modifying AD Schema permissions from the command line

Posted by Ryan Roussel on Geeks with Blogs See other posts from Geeks with Blogs or by Ryan Roussel
Published on Fri, 05 Mar 2010 22:00:00 GMT Indexed on 2010/03/07 23:28 UTC
Read the original article Hit count: 626

Filed under:

Recently while making some changes for a client, I accidently dug myself into a pretty deep hole.  I was trying to explicitly deny a certain user from reading a few group policies including the Default Domain Policy.  When I went in to make the change I accidently denied Authenticated Users rather than the AD user object.  This of course made the GPO inaccessible to all users including any with domain admin rights.  The policy could no longer be modified in the GPMC and worse, changes could not be made through ADSIedit.


The errors I was getting from inside ADSIedit when trying to edit the container looked like this

This object has one or more property sheets currently open.

Invalid path to object

The only solution was to strip Authenticated Users from the container ACL completely in the schema, then re-add it back with the default read and apply rights.  To perform this action, I used a command I had never used before:  DSALCS.exe  It’s part of the DSMOD group of tools.  Since this command interacts with the actual schema, you have to know the full LDAP container or object name.  In this case the GUID of the Default Domain Policy: {31B2F340-016D-11D2-945F-00C04FB984F9}


The actual commands I ran looked like this:


To display the current ACL of the container:

c:\>dsacls “cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=Policies,cn=System,
dc=domain,dc=com /A

To strip Authenticated Users from the ACL of the container:
c:\>dsacls “cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=Policies,cn=System,
dc=domain,dc=com /R “NT Authority\Authenticated Users”


For full reference of the DSACLS.EXE command visit:

Once the Authenticated Users was cleared from the ACL, I was able to use Group Policy Management Console to reassign the default permissions.

© Geeks with Blogs or respective owner