![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 70%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
7,023 questions
Hello Etech-6440,
Thank you for your question.
I just did some testing on my test domain, dsacls doesn't provide the ability to remove a specific ace that has been set. You will need to use ldp to remove the deny permission.
1) If you open ldp connect and link to your ad
2) Select the tree in the view menu and select your default NC
3) In the tree pane right click your domain root and select advanced, security descriptor
4) In the dialog check all nt authority entries/authenticated users to find the deny permission
When you find the deny permission offensive, delete it and update
This worked on my test domain!
See also the article below that contains useful information:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/dcpromo-demotion-fails
If the answer is helpful, please upvote and accept it as an answer.
