A computer account created in Active Directory-Users and -Computers (just the Windows Server 2003 Versions) is containing invalid Access Controll Entries (ACE) if you specify another group or user account than the default (Domain Admins) to be able to "use" that computer account (join the computer to the domain under the specified name with the specified account).
Three of the ACEs contain a "Zero-GUID" {000000-0000-0000-0000-00000000} in their InheritedObjectType-property. Usually that property points to a valid GUID of any Active Directory Object. I discovered that because the Support-Tool DSACLS is not able to display the Access Control Lists of the created Computer Accounts. DSACLS either does not response or displays an error. I believe that other applications directly accessing the DACLs might have issues if their error handling misses that issue.
I'm quite confident but was unable to verify (due to the lack of time) that the issue is not the property InheritedObjectType but the property Flags. This property describes if the properties ObjectType or InheritedObjectType are present. Looking at the three ACEs which contain the mistake they are supposed to contain the value of 1, but they contain the value of 3 - this is the value for both properties being present. I'm quite sure this is supposed to be a value of 1 instead. I imagine (but still lacked to verify yet) that AD is setting the Zero-GUID automatically when adding a ACE with the Field set to 3 but no InheritedObjectType being present.
Here are examples for the three ACEs:
ace.trustee: FIRMA\myaccount ace.accessmask: 20 ace.acetype: 5 ace.objecttype: {4C164200-20C0-11D0-A768-00AA006E0529} ace.inheritedobjecttype: {00000000-0000-0000-0000-000000000000} ace.flags: 3 ace.aceflags: 0 ace.trustee: FIRMA\myaccount ace.accessmask: 8 ace.acetype: 5 ace.objecttype: {72E39547-7B18-11D1-ADEF-00C04FD8D5CD} ace.inheritedobjecttype: {00000000-0000-0000-0000-000000000000} ace.flags: 3 ace.aceflags: 0 ace.trustee: FIRMA\myaccount ace.accessmask: 8 ace.acetype: 5 ace.objecttype: {F3A64788-5306-11D1-A9C5-0000F80367C1} ace.inheritedobjecttype: {00000000-0000-0000-0000-000000000000} ace.flags: 3 ace.aceflags: 0 |
I further tested that if I clean up those three ACEs with a script DSACLS is working again and everything else seems to be working. Further the Windows 2000 Version of Active Directory-Users and -Computers is creating those ACEs correctly.
Note: | I believe those are two issues which need to be "adjusted": the behavior of Active Directory-Users and Computers when creating a computer object, and the error handling of DSACLS. |
Here's the script I wrote to clean up those ACEs for a specified Computerobject:
' This Code is provided as an example, and is provided AS IS and confers no rights or ' warranties. It's just for demonstration and will need to be modified to run in any ' other environments. ' Ulf B. Simon-Weidner, Germany, September 2004 ' Const ADS_OPTION_SECURITY_MASK = 3 Const ADS_SECURITY_INFO_DACL = &H4 strDN = "LDAP://CN=USW001,OU=FirmaComputer,DC=firma,DC=de" strUser = "firma\administrator" strPwd = "xXx" Set objDS = GetObject("LDAP:") Set objAD = objDs.OpenDsObject(strDN,strUser,strPwd,1) Set objSD = objAD.Get("ntSecurityDescriptor") Set objDacl = objSD.DiscretionaryAcl Set objNewDacl = CreateObject("AccessControlList") For Each objAce In objDacl Wscript.echo wscript.echo ("ace.trustee: " & objAce.trustee) wscript.echo ("ace.accessmask: " & hex(objAce.accessmask)) WScript.echo ("ace.acetype: " & hex(objAce.acetype)) Wscript.echo ("ace.objecttype: " & objAce.objecttype) WScript.echo ("ace.inheritedobjecttype: " & objAce.inheritedobjecttype) WScript.echo ("ace.flags: " & Hex(objAce.flags)) WScript.echo ("ace.aceflags: " & Hex(objAce.aceflags)) Set objNewAce = CreateObject("AccessControlEntry") objNewAce.accessmask = objAce.accessmask objNewAce.acetype = objAce.acetype objNewAce.objecttype = objAce.objecttype objNewAce.flags = objAce.flags objNewAce.aceflags = objAce.aceflags objNewAce.trustee = objAce.trustee If objAce.inheritedobjecttype = "{00000000-0000-0000-0000-000000000000}" Then WScript.Echo "--> This ACE will be modified !!!" objDacl.RemoveAce objAce objNewAce.flags = &H1 objNewDacl.AddAce objNewAce End If Set objNewAce = Nothing Wscript.echo Next objSD.DiscretionaryAcl = objDacl set objDacl = objSD.DiscretionaryAcl For Each objAce In objNewDacl objDacl.AddAce objAce if err.number <> 0 Then WScript.echo "Error " & err.number & ": " & err.Description err.clear end If WScript.echo Wscript.echo "--> New ACE" wscript.echo ("ace.trustee: " & objAce.trustee) wscript.echo ("ace.accessmask: " & hex(objAce.accessmask)) WScript.echo ("ace.acetype: " & hex(objAce.acetype)) Wscript.echo ("ace.objecttype: " & objAce.objecttype) WScript.echo ("ace.inheritedobjecttype: " & objAce.inheritedobjecttype) WScript.echo ("ace.flags: " & Hex(objAce.flags)) WScript.echo ("ace.aceflags: " & Hex(objAce.aceflags)) Next objSD.DiscretionaryAcl = objDacl objAD.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL objAD.Put "ntSecurityDescriptor", Array(objSD) objAD.SetInfo If Err.Number <> 0 Then WScript.Echo "Error " & Err.Number & ": " & Err.Description Err.Clear End If Set objNewDACL = Nothing Set objDACL = Nothing Set objSD = Nothing Set objAD = Nothing Set objDS = Nothing |
You are welcome to E-Mail comments, feedback or general Problems with this WebSite to the WebMaster. The WebSites of WindowsServerFAQ.de and/or WindowsServerFAQ.org are not related to Microsoft Corp. USA or to Microsoft GmbH. Copyright 2004. ALL RIGHTS RESERVED. You have to accept the Disclaimer and the legal Annotations to use the WebSites of WindowsServerFAQ.de or WindowsServerFAQ.org.