A computer account created in Active Directory-Users and -Computers (just the Windows Server 2003 Versions) is containing invalid Access Controll Entries (ACE) if you specify another group or user account than the default (Domain Admins) to be able to "use" that computer account (join the computer to the domain under the specified name with the specified account).
Three of the ACEs contain a "Zero-GUID" {000000-0000-0000-0000-00000000} in their InheritedObjectType-property. Usually that property points to a valid GUID of any Active Directory Object. I discovered that because the Support-Tool DSACLS is not able to display the Access Control Lists of the created Computer Accounts. DSACLS either does not response or displays an error. I believe that other applications directly accessing the DACLs might have issues if their error handling misses that issue.
I'm quite confident but was unable to verify (due to the lack of time) that the issue is not the property InheritedObjectType but the property Flags. This property describes if the properties ObjectType or InheritedObjectType are present. Looking at the three ACEs which contain the mistake they are supposed to contain the value of 1, but they contain the value of 3 - this is the value for both properties being present. I'm quite sure this is supposed to be a value of 1 instead. I imagine (but still lacked to verify yet) that AD is setting the Zero-GUID automatically when adding a ACE with the Field set to 3 but no InheritedObjectType being present.
Here are examples for the three ACEs:
ace.trustee: FIRMA\myaccount
ace.accessmask: 20
ace.acetype: 5
ace.objecttype: {4C164200-20C0-11D0-A768-00AA006E0529}
ace.inheritedobjecttype: {00000000-0000-0000-0000-000000000000}
ace.flags: 3
ace.aceflags: 0
ace.trustee: FIRMA\myaccount
ace.accessmask: 8
ace.acetype: 5
ace.objecttype: {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}
ace.inheritedobjecttype: {00000000-0000-0000-0000-000000000000}
ace.flags: 3
ace.aceflags: 0
ace.trustee: FIRMA\myaccount
ace.accessmask: 8
ace.acetype: 5
ace.objecttype: {F3A64788-5306-11D1-A9C5-0000F80367C1}
ace.inheritedobjecttype: {00000000-0000-0000-0000-000000000000}
ace.flags: 3
ace.aceflags: 0
|
I further tested that if I clean up those three ACEs with a script DSACLS is working again and everything else seems to be working. Further the Windows 2000 Version of Active Directory-Users and -Computers is creating those ACEs correctly.
| Note: | I believe those are two issues which need to be "adjusted": the behavior of Active Directory-Users and Computers when creating a computer object, and the error handling of DSACLS. |
Here's the script I wrote to clean up those ACEs for a specified Computerobject:
|
' This Code is provided as an example, and is provided AS IS and confers no rights or ' warranties. It's just for demonstration and will need to be modified to run in any ' other environments. ' Ulf B. Simon-Weidner, Germany, September 2004 '
Const ADS_OPTION_SECURITY_MASK = 3
Const ADS_SECURITY_INFO_DACL = &H4
strDN = "LDAP://CN=USW001,OU=FirmaComputer,DC=firma,DC=de"
strUser = "firma\administrator"
strPwd = "xXx"
Set objDS = GetObject("LDAP:")
Set objAD = objDs.OpenDsObject(strDN,strUser,strPwd,1)
Set objSD = objAD.Get("ntSecurityDescriptor")
Set objDacl = objSD.DiscretionaryAcl
Set objNewDacl = CreateObject("AccessControlList")
For Each objAce In objDacl
Wscript.echo
wscript.echo ("ace.trustee: " & objAce.trustee)
wscript.echo ("ace.accessmask: " & hex(objAce.accessmask))
WScript.echo ("ace.acetype: " & hex(objAce.acetype))
Wscript.echo ("ace.objecttype: " & objAce.objecttype)
WScript.echo ("ace.inheritedobjecttype: " & objAce.inheritedobjecttype)
WScript.echo ("ace.flags: " & Hex(objAce.flags))
WScript.echo ("ace.aceflags: " & Hex(objAce.aceflags))
Set objNewAce = CreateObject("AccessControlEntry")
objNewAce.accessmask = objAce.accessmask
objNewAce.acetype = objAce.acetype
objNewAce.objecttype = objAce.objecttype
objNewAce.flags = objAce.flags
objNewAce.aceflags = objAce.aceflags
objNewAce.trustee = objAce.trustee
If objAce.inheritedobjecttype = "{00000000-0000-0000-0000-000000000000}" Then
WScript.Echo "--> This ACE will be modified !!!"
objDacl.RemoveAce objAce
objNewAce.flags = &H1
objNewDacl.AddAce objNewAce
End If
Set objNewAce = Nothing
Wscript.echo
Next
objSD.DiscretionaryAcl = objDacl
set objDacl = objSD.DiscretionaryAcl
For Each objAce In objNewDacl
objDacl.AddAce objAce
if err.number <> 0 Then
WScript.echo "Error " & err.number & ": " & err.Description
err.clear
end If
WScript.echo
Wscript.echo "--> New ACE"
wscript.echo ("ace.trustee: " & objAce.trustee)
wscript.echo ("ace.accessmask: " & hex(objAce.accessmask))
WScript.echo ("ace.acetype: " & hex(objAce.acetype))
Wscript.echo ("ace.objecttype: " & objAce.objecttype)
WScript.echo ("ace.inheritedobjecttype: " & objAce.inheritedobjecttype)
WScript.echo ("ace.flags: " & Hex(objAce.flags))
WScript.echo ("ace.aceflags: " & Hex(objAce.aceflags))
Next
objSD.DiscretionaryAcl = objDacl
objAD.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL
objAD.Put "ntSecurityDescriptor", Array(objSD)
objAD.SetInfo
If Err.Number <> 0 Then
WScript.Echo "Error " & Err.Number & ": " & Err.Description
Err.Clear
End If
Set objNewDACL = Nothing
Set objDACL = Nothing
Set objSD = Nothing
Set objAD = Nothing
Set objDS = Nothing
|
You are welcome to E-Mail comments, feedback or general Problems with this WebSite to the WebMaster. The WebSites of WindowsServerFAQ.de and/or WindowsServerFAQ.org are not related to Microsoft Corp. USA or to Microsoft GmbH. Copyright 2004. ALL RIGHTS RESERVED. You have to accept the Disclaimer and the legal Annotations to use the WebSites of WindowsServerFAQ.de or WindowsServerFAQ.org.