none
AD Permissions issue

    Question

  • I"m a SQL Server engineer and not as familar with AD. We’re having problems with a SQL Cluster install. Looking at the cluster log,  The issue is with bringing the SQL Server virtual name on line. The error is coming from AD with an indication of permission denied

    The Cluster CNO needs the following permissions in the computers OU container to create computer objects ( following https://blogs.msdn.microsoft.com/psssql/2013/09/30/error-during-installation-of-an-sql-server-failover-cluster-instance/ ) :

    • List contents
    • Read all properties
    • Read permissions
    • Create Computer Objects

    The client applied these  permissions. When we rechecked permissions, however, we found that the CNO had the create Computer Object permissions, but not the others. I then watched as they granted those permissions and clicked apply. When we rechecked, the new permissions were no longer there. The are using the domain admin account when modifying AD.

    I assume there is a permissions issue but don't know what it would be. any suggestions?

    thanks

    Monday, December 19, 2016 4:53 PM

All replies

  • Possibly the CNO object in AD is a member of a protected group, like "Domain Admins" or one of the Operator groups. If so, a process runs once per hour to restore permissions. If this is the case, can you remove this object from the protected group? Note that this includes membership due to group nesting.

    Edit: If you suspect this is your problem, but cannot determine what group membership is causing it, this script might help:

    https://gallery.technet.microsoft.com/Find-Orphaned-Objects-in-dba8a007?redir=0

    The purpose of the script is to find objects that were once members of protected group, but are not now (orphaned objects). But the script also outputs all protected objects (because they are members of a protected group) and what group membership makes them protected.

    This Wiki article explains the process that restores permissions of protected objects, with links to documentation:

    http://social.technet.microsoft.com/wiki/contents/articles/33307.active-directory-find-orphaned-objects.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Monday, December 19, 2016 5:26 PM