locked
How to reset AD Forest to defaults? RRS feed

  • Question

  • Over the course of many different admins, I have an AD forest that has had its permissions modified by hand and delegated. I need to somehow get this forests security permissions back to the defaults. The root of the forest has been modified, along with almost all of the OU's and containers. Is there a command, set of commands, or utility that can be ran to return it to like new? This way I can go through and delegate permissions correctly.
    Tuesday, June 17, 2014 7:30 PM

Answers

  • Yes, but it's going to break apps eventually (most likely) - it's only (easily) possible to revert permissions to an object class default security definition in the schema - but apps like Exchange, Lync etc add ACEs to ACLs and dose are not in the default schema, neither are all ACL changes that are done with ADPREP etc. 

    There is a tool called ACLDiag that you can run in a fresh forest, for example on the root of the domain, then run it in your forest and compare the differences.

    But there is no easy way to reset things to "default" - by the end of the day it might be a better idea to spin up a new forest and migrate users, groups and resources over.

     

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by Idan Vexler Tuesday, June 17, 2014 9:48 PM
    • Marked as answer by Frank Shen5 Tuesday, July 1, 2014 8:47 AM
    Tuesday, June 17, 2014 8:55 PM

All replies

  • Yes, but it's going to break apps eventually (most likely) - it's only (easily) possible to revert permissions to an object class default security definition in the schema - but apps like Exchange, Lync etc add ACEs to ACLs and dose are not in the default schema, neither are all ACL changes that are done with ADPREP etc. 

    There is a tool called ACLDiag that you can run in a fresh forest, for example on the root of the domain, then run it in your forest and compare the differences.

    But there is no easy way to reset things to "default" - by the end of the day it might be a better idea to spin up a new forest and migrate users, groups and resources over.

     

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by Idan Vexler Tuesday, June 17, 2014 9:48 PM
    • Marked as answer by Frank Shen5 Tuesday, July 1, 2014 8:47 AM
    Tuesday, June 17, 2014 8:55 PM
  • I suspect the closest thing to an easy button is to go to the domain root/Properties/Security tab/Advanced and click the Restore Defaults button. Rinse and repeat for all sub-containers and OU's.

    For your sake I hope someone smarter than I has a more elegant solution but that's what I could come up with off the top of my head.

    Tuesday, June 17, 2014 9:19 PM
  • I'd also be wary that in resetting the permissions you're not undoing mechanics that support business process, as delegation is quite often aimed at supporting/enforcing this.

    Cheers,
    Lain

    Wednesday, June 18, 2014 2:10 AM