none
RightsGuid and Deep Searches

    Question

  • I am having high CPU on a domain controller and cannot quite figure out why.  I have read all the links I could find about troubleshooting high LSASS.EXE CPU.  Performance monitor shows that the highest using client is NTDSAPI.  The search using the most CPU is the Configuration container.

    Now, the searches are for 'rightsGuid' on the controlAccessRight in the Extended-Rights container.  The issue is the rightsGuid that they are searching for does not seem to exist in my Active Directory.  I have pulled a list of all rightsGuid from the Extended-Rights container, and I just do not see them.  The rightsGUID do not seem to be default MS ones that I can tell.

    ( & (rightsGuid=00000000-0000-0000-0000-000000000000) (objectCategory=CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=xxxx,DC=xxxx) )

    ( & (rightsGuid=d5b40e71-d203-1af2-b6f4-34e7903a8db2) (objectCategory=CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=xxxx,DC=xxxx) )

    ( & (rightsGuid=b27057ce-0036-32b6-b7b1-defa480368eb) (objectCategory=CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=xxxx,DC=xxxx) )

    Any way to determine where these are if they were custom or turn them off.

    Thursday, January 19, 2017 2:30 PM

All replies

  • Hi,

    Digging deeper into the MSDN docs on Creating Control Access Rights:

    If you define a control access right for a property set, use the rightsGUID of the controlAccessRight object to identify the properties in the set. Every property is defined by an attributeSchema object in the Active Directory schema. The attributeSecurityGUID property of an attributeSchema object identifies the property set, if any, that the property belongs to.

    https://msdn.microsoft.com/en-us/library/ms675767(v=VS.85).aspx

    Have you tried to check that?

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, January 20, 2017 9:18 AM
    Moderator
  • Thanks for the reply Wendy, I appreciate the time to grab the images.  I am looking to see if there is a way to determine a rightsGuid or attributeSecurityGuid that is not listed.  I pulled all rightsGuid and attributeSecurityGuid from adsiedit, I do not see the numbers listed in my original post.  I believe the all zeros is 'ALL', but not quite sure on the other two.  Was thinking a previous admin may have made a custom property set with those Guids, but I am unable to locate.
    Monday, January 23, 2017 1:58 PM
  • Hi,
    Have you tried to convert the rightsGuid string and see if it helps you to find its location?
    If not, here is a suggested script regarding this, you could take a look:
    https://www.redtoo.com/ch/blog/convert-schemaguid-and-or-rightsguid-function/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, January 24, 2017 5:34 AM
    Moderator