3

Very much a follow on from this question I asked earlier here. Trying to go through metadata cleanup but every time I click delete on the offending DC I get an access denied (after prompts about it being a GC). Is there any other way I can remove it? I have unchecked the "protect from accidental deletion" option on the OU Domain Controllers, added myself as an Enterprise Admin (was already a Domain Admin) and generally thrown my toys out of the cot. Have I missed a glaringly obvious step somewhere? I thought the first process of metadata cleanup was removing the account and then a case of tidying up DNS and NTDS bits that pointed to the DC.

EDIT: So looking at NTDS Quotas OU thorugh ADSIEdit I notice that someone has added Everyone - Deny Special Permissions - Delete and Delete Subtree. Is this a normal setting to have configured?

EDIT2: Oh wait it gets better. Everyone has been assigned Deny permissions (to all sorts of attributes) to delete from teh Domain Controllers OU. I am guessing this is not a normal security practice for AD?

  • 1
    Inspect the ACL on the Domain Controller object and post it here. It's possible that someone removed the `Enterprise Admin/Full Control` ACE from the ACL. – MDMarra Nov 04 '11 at 17:15
  • Looking at the Security tab for both the OU and the computer object I can see Enterprise Admins listed as having full control. I have also toggled the protect from deletion on the object and OU in case it was a corrupt attribute. tried from three different DCs. driving me nuts :) –  Nov 04 '11 at 17:29
  • @MarkM thanks for the pointer to ACLs. As above in EDIT2 someone has denied Everyone access to certain abilities. –  Nov 04 '11 at 17:43

1 Answers1

2

Check the ACL on the domain controller object and make sure that Domain Administrators and Enterprise Administrators have the appropriate Full Control ACE. Also check to make sure that there isn't any weird deny ACEs.

MDMarra
  • 100,183
  • 32
  • 195
  • 326