Restoring permissions on an AD objects to Domain/Enterprise Administrators

I recently accidently set added Authenticated Users = Deny Read on GPO object. As ‘Deny’  ACEs take priority over ‘Allow’ everyone was blocked including Domain and Enterprise Administrators!

After some research, trial and error we found that the following procedure can be used to restore permissions back to Domain Administrators.

  1. Log on the PDC emulator as Domain Admin.
  2. Get the DN of the problem object(s)
  3. Run an elevated command prompt
  4. Run dsacls <dn> /R “DOMAIN\Domain Admins”
  5. Run dsacls <dn> /G “DOMAIN\Domain Admins”:GA
  6. Locate the system object in the AD. GPOs are in the System Container.
  7. Restore permissions for the object.
  8. Check the  object’s folder within SYSVOL and verify the permissions are up to date. If not then restore the permissions here too (I actually did this between 5  and 6 but according to Internet sources step 7 will do this).
This entry was posted in ActiveDirectory by James. Bookmark the permalink.

About James

I am an Infrastructure Systems Administrator in the Infrastructure Systems Group (ISG) within ISS. We are responsible for a number of the core services which support the IT Infrastructure of the University including Active Directory, Exchange, DNS, Central Filestore, VMware and SQL. I hold number of current Microsoft Certifications and am also a Symantec Certified Specialist (Netbackup)

Leave a Reply

Your email address will not be published. Required fields are marked *