Background
After I configured our Active Directory so that the ability to move computers was delegated to helpdesk staff, I started hearing reports that computers would get "stuck" in specific OU's. They can move a computer in, but get an "access denied" message when trying to move a computer out. The problem is 100% reproducible, and is only present on a small number of OU's in our domain.
Both OU's have Protect object from accidental deletion
enabled.
What I already know
Inspecting the ACL using ldp.exe
does reveal one tiny but important difference. For some reason, only ONE of the OU's has the attribute ACTRL_DS_DELETE_CHILD denied to Everyone
.
Toggling the Protect object
flag on and off on either OU does not fix the problem. It does modify the ACL as expected, but the ACTRL_DS_DELETE_CHILD
flag is completely unmodified in either case.
I can use this solution to "fix" a specific OU:
- Turn off
Protect object
flag - Delete the Deny ACE associated with Everyone.
- Turn
Protect object
back on - Now the ACL's match.
Could it be that different versions of Active Directory, or Remote Server Admin Tools, might have different behaviour with how the Protect object
flag is actually represented on an OU?
The Question
What could possibly cause this difference, and what can I do to ensure that it is corrected on all OU's in the Active Directory domain?
Details
The unified diff looks like this:
18c18
< Ace Mask: 0x00010042
---
> Ace Mask: 0x00010040
20d19
< ACTRL_DS_DELETE_CHILD
How to identify affected organizational units
EDIT: I wrote a PowerShell script to locate Organizational Units that have this flag set on them.
$Base = "OU=MyOU,DC=your,DC=domain,DC=com"
Import-Module ActiveDirectory
Set-Location AD:
Get-ADOrganizationalUnit -SearchBase $Base -filter * |
ForEach-Object {
$matches = @(
(Get-ACL $_.DistinguishedName).access |
Where-Object {
$_.IdentityReference -eq "Everyone"
} |
Where-Object {
$_.ActiveDirectoryRights -like "*DeleteChild*"
}
)
if ($matches.length -gt 0) {
Write-Output $_
}
} |
Format-Table DistinguishedName