locked
Restore default security on OU and objects in OU RRS feed

  • Question

  • Welcome,

    On windows 2003 was working

    dsacls "OU=..." /S /T

    Now i got error:

    The parameter is incorrect.

    The command failed to complete successfully

    So How to restore security settings on OU and all objects inside ?

    for /f "tokens=*" %i in ('"dsquery computer OU.. -limit 0"') do dsacls %i /resetDefaultDACL  /resetDefaultSACL /takeOwnership

    Is it ok ? but how for all objects not related to type cumputer,user,group etc

    Monday, June 24, 2013 8:14 PM

Answers

  • Related to windows 2008 finded in 70-646 book

    Reset default permissions. dsacls dn -resetdefaultdacl
    C:\>dsacls "ou=east,ou=sales,dc=pearson,dc=pub" –resetdefaultdacl
    If you made a mistake when modifying permissions on an object, you can always return it to the original permissions

    But nowhere how to reset to all objects in OU

    So after testing

    for /f "tokens=*" %i in ('dsquery * "OU=" -limit 0') do dsacls %i /resetDefaultDACL  /takeOwnership

    Wednesday, June 26, 2013 3:28 PM

All replies

  • The deafult security descriptor within the schema should define the default settings for each object type.  You would have to look at that and from there, the settings reset back if you don't know what they are.

    Not sure on the reset via your script line.  I have done a lot of work with permissions within AD and it is not an easy thing to do and to start reseting everything is frought with possible issues since you may have containers/OU's you don't own and/or have permissions to change.


    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Meinolf Weber Tuesday, June 25, 2013 7:55 AM
    Monday, June 24, 2013 8:49 PM
  • If you're doing this you may break apps, please just be aware of this. Are you running the commands in a evulated command prompt?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Tuesday, June 25, 2013 5:05 AM
  • Related to windows 2008 finded in 70-646 book

    Reset default permissions. dsacls dn -resetdefaultdacl
    C:\>dsacls "ou=east,ou=sales,dc=pearson,dc=pub" –resetdefaultdacl
    If you made a mistake when modifying permissions on an object, you can always return it to the original permissions

    But nowhere how to reset to all objects in OU

    So after testing

    for /f "tokens=*" %i in ('dsquery * "OU=" -limit 0') do dsacls %i /resetDefaultDACL  /takeOwnership

    Wednesday, June 26, 2013 3:28 PM