locked
Remove security permissions from AD objects for old SID´s RRS feed

  • Question

  • Hello,

    I have the following problem. Recently we have migrated from Notes/Domino to Exchange 2010. We had some problems with the first installation. In case of that we decided to reinstall Exchange.

    Stupid was that we deleted some Exchange objects from the AD withe the Active Directory Users and Computers management tool. Thereby a simple reinstallation was not possible. After deleting all Exchange entries by ADSI, the server could then be installed without problems again and is working fine at the moment. ;-)

    The actual problem is that all security permissions on all AD objects have obsolete SID's (even newly created objects). These SIDs are without a doubt the Exchange objects (OrganizationManagement, Exchange Server, Exchange Trusted Subsystem, Windows Exchange permissions) of the old installation.


    Is there a way to remove these permissions on all objects? I know about the tool SubInACL...

    Thanks in advance

    Martin

    PS

    In scheme "CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=xxx,DC=xxx" there is the following string under the attribute "defaultSecurityDescriptor":

    D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)

    Could it be that a part of the value is the reson for this?
     

    • Edited by Martin Rae Thursday, September 15, 2011 7:20 AM
    Thursday, September 15, 2011 7:19 AM

Answers