Freigeben über


Application Directory Partition Default Security

Applies To: Windows Server 2008 R2

When you create a new application directory partition, a new security descriptor is calculated and assigned to the application directory partition object.

Events

Event ID Source Message

1979

Microsoft-Windows-ActiveDirectory_DomainService

AD_TERM was unable to correctly create the default security descriptor for the following application directory partition.

Application directory partition:
%3

User Action
Review the access control list (ACL) on the newly created application directory partition. Ensure the Replication Get Changes All access right is assigned to both the Enterprise Domain Controllers group and the Enterprise Read-only Domain Controllers group, and remove the right from the domain Domain Controllers group.

Additional Data
Error value:
%1 %2

1980

Microsoft-Windows-ActiveDirectory_DomainService

The default access control list (ACL) on the following Domain-DNS object class has been previously removed.

All subsequently created domain and application directory partitions will permit insecure access.

User Action
To secure access to domain and application directory partitions created in the future, revert the default security descriptor on the Domain-DNS object class in the schema back to the default setting.

1981

Microsoft-Windows-ActiveDirectory_DomainService

AD_TERM was unable to access the security identifier (SID) associated with the Enterprise Domain Controllers group or the Enterprise Read-only Domain Controllers group.

1982

Microsoft-Windows-ActiveDirectory_DomainService

AD_TERM was unable to delete the access control entry (ACE) for the domain Domain Controllers security group on the newly created application directory partition. This ACE gave the domain Domain Controllers security group the Replication Get Changes All right for the following newly created application directory partition.

Application directory partition:
%3

User Action
Review the access control list (ACL) on the newly created application directory partition. Ensure the right Replication Get Changes All is given to both the Enterprise Domain Controllers group and the Enterprise Read-only Domain Controllers group, and remove that right from the domain Domain Controllers group.

Additional Data
Error value:
%1 %2

1983

Microsoft-Windows-ActiveDirectory_DomainService

AD_TERM failed to create an access control entry (ACE) for the Enterprise Domain Controllers group or the Enterprise Read-only Domain Controllers group on a newly created application directory partition.

Application directory partition:
%3

User Action
Review the access control list (ACL) on the newly created application directory partition. Ensure the Replication Get Changes All access right is assigned to both the Enterprise Domain Controllers group and the Enterprise Read-only Domain Controllers group, and remove the right from the domain Domain Controllers group.

Application Directory Partition

Active Directory