data from active directory users and computers in not available from domain contoller because the specified directory service attribute or value does not exist

Saeed Abdollahi 1 Reputation point
2021-09-30T07:46:22.577+00:00

hi
I was making some changes to my domain today and mistakenly i deny read permission of authenticated users in my domain in active directory users and computers console and now i cant open this console and i have this error :

data from active directory users and computers in not available from domain contoller because the specified directory service attribute or value does not exist

how can i change this permission from another way like command or powershell?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,071 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,213 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Gary Reynolds 9,406 Reputation points
    2021-09-30T17:32:12.31+00:00

    Hi @Saeed Abdollahi ,

    Just did some testing on my test domain, dsacls doesn't provide the ability to remove a specific ace that has been set. You will need to use ldp to remove the deny permission.

    If you open ldp connect and bind to your ad
    Select tree from the view menu and select you default NC
    In the tree pane right click on the root of your domain and select advanced, security descriptor
    In the dialog check all nt authority/authenticated users entries to find the deny permission
    When you find the offending deny permission, delete it and then update

    This worked in my test domain.

    Gary.

    1 person found this answer helpful.

  2. Limitless Technology 39,501 Reputation points
    2021-09-30T13:21:29.45+00:00

    Hello @Saeed Abdollahi

    You can use CMD as Domain Administrator:

    icacls C:\Temp\ACL /T /C /grant DOMAIN\<GroupName>:F

    a sequence of simple rights:  
            N - no access  
            F - full access  
            M - modify access  
            RX - read and execute access  
            R - read-only access  
            W - write-only access  
            D - delete access  
    

    Hope this helps with your query,


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  3. Gary Reynolds 9,406 Reputation points
    2021-09-30T15:54:43.45+00:00

    Hi @Saeed Abdollahi ,

    At what OU level in AD did you set the deny permissions, was it at the root of the domain or a lower level?

    Have look at the dsacls command to see if you can list the permissions, details here https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)

    Gary.