Yes - I've
found this bug in 2k4 and have reported it to Microsoft. Recently I have been
approached (after complaining to someone in the DS-Group at MS) if this bug is
still there, and I've confirmed that's it's still there with R2 and was told it
will be looked into.
Basically ADUC
creates three wrong ACEs, where the ace.flags states that
ace.inhertitedObjectType is present. Since it's not present nor needed it's
reported back to the interfaces with a zero-filled-GUID. This field is supposed
to map to a schemaIdGUID of an attribute, and there's no attribute like that.
Some components do the error handling well and display the remaining SD, some
(as dsacls) dont. Actually the RTM-Version of DSAcls was even giving out a very
serious AD-Error in an error-box. After reporting the bug in 2k4 only dsacls was
partly fixed, not the issue itself.
I've published
more details and a script to fix the ACLs on my website, and also mentioned it
during one of my sessions at DEC:
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile
& Publications: http://mvp.support.microsoft.com/profile="">
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
Sent: Friday, May 19, 2006 2:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DSACLS bug maybe?
Has anyone seen this issue before?
If you create a computer account in ADUC, then type "DSACLS DnOfComputerObject" it will spit out the ACL's on it. However, if you create another computer account and delegate out who can join it DSACLS can't spit out the ACL's.
