Application Directory Partition Default Security
Applies To: Windows Server 2008 R2
When you create a new application directory partition, a new security descriptor is calculated and assigned to the application directory partition object.
Events
Event ID | Source | Message |
---|---|---|
Microsoft-Windows-ActiveDirectory_DomainService |
AD_TERM was unable to correctly create the default security descriptor for the following application directory partition. Application directory partition: %3 User Action Review the access control list (ACL) on the newly created application directory partition. Ensure the Replication Get Changes All access right is assigned to both the Enterprise Domain Controllers group and the Enterprise Read-only Domain Controllers group, and remove the right from the domain Domain Controllers group. Additional Data Error value: %1 %2 |
|
Microsoft-Windows-ActiveDirectory_DomainService |
The default access control list (ACL) on the following Domain-DNS object class has been previously removed. All subsequently created domain and application directory partitions will permit insecure access. User Action To secure access to domain and application directory partitions created in the future, revert the default security descriptor on the Domain-DNS object class in the schema back to the default setting. |
|
Microsoft-Windows-ActiveDirectory_DomainService |
AD_TERM was unable to access the security identifier (SID) associated with the Enterprise Domain Controllers group or the Enterprise Read-only Domain Controllers group. | |
Microsoft-Windows-ActiveDirectory_DomainService |
AD_TERM was unable to delete the access control entry (ACE) for the domain Domain Controllers security group on the newly created application directory partition. This ACE gave the domain Domain Controllers security group the Replication Get Changes All right for the following newly created application directory partition. Application directory partition: %3 User Action Review the access control list (ACL) on the newly created application directory partition. Ensure the right Replication Get Changes All is given to both the Enterprise Domain Controllers group and the Enterprise Read-only Domain Controllers group, and remove that right from the domain Domain Controllers group. Additional Data Error value: %1 %2 |
|
Microsoft-Windows-ActiveDirectory_DomainService |
AD_TERM failed to create an access control entry (ACE) for the Enterprise Domain Controllers group or the Enterprise Read-only Domain Controllers group on a newly created application directory partition. Application directory partition: %3 User Action Review the access control list (ACL) on the newly created application directory partition. Ensure the Replication Get Changes All access right is assigned to both the Enterprise Domain Controllers group and the Enterprise Read-only Domain Controllers group, and remove the right from the domain Domain Controllers group. |