This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 81%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Hi all,
I'm facing an inheritance question about Computer objects in AD.
In an OU, each Computer object does not have same ACL whereas inheritance is set on each object.
So I would to get same rights to all of these AD objects.
First question : why ACL are not the same ?
Second question : how should I do to get consistent ACL ?
Thank you.
Regards,
Hi,
You can reset the permissions using the ADUC security dialog, which is very manual, or you can use the dsacls /resetdefaultDACL command. I'm not aware of any powershell commands that can reset the permissions.
You could use powershell to automate the running of dsacls command, with a list of objects that you want to reset.
Gary.
Hi @FXE
Yes object that are created in the same OU should have the same permissions. The based permission should be the same on newly created object, as they are defined in the defaultSecurityDescriptor attribute of the computer object in the schema. These are the default permissions that are allocated in my test environment:
These permissions should be assigned to any new computer objects that are created, then inherited permissions will be be assigned and these will be added or replace the base permissions. Then any permissions that are specific to the computer object will be added, i.e. write SPN etc.
Are you able to share the differences you are seeing between the computer objects?
Gary.
Hi @Gary Reynolds and thank you for your answer.
What is the tool you used to get ACL on objects ? I could use it to for showing you differences between objects.
Thank you.
It's NetTools and is available here https://NetTools.net the option is called acl brower
Any progress or update on this one?
Hi @FXE
Have a look at this new feature in NetTools that let's you compare the permissions on two objects and display the differences between the objects.
https://nettools.net/how-to-compare-the-permissions-of-two-ad-objects/
Gary.
Hi @Gary Reynolds ,
Here is what I have on OU container :
Below is what I have on a computer object with inheritance issue :
There are others mismatches but I'm focusing on AD group "grp.HelpDesk.ADComputersManagement".
Hi @FXE
I'm not sure what permissions have been assigned or where, but it does appears that they have been inherited from the root and sub OU. I've tried to create the same in my test environment but I haven't been successful, as I don't have enough info. This is what I have created in my environment
At the root, these permissions are assigned. Two read permissions assigned
These are the test4 OU permissions, two permissions assigned which match the ones you have on your OU.
No additional permissions assigned on the test5 OU, just the permissions inherited from parent OUs
And the computer object in the test5 OU, which match the permissions on the OU
If you can check if you have the same permissions or provide a bit more information on where permissions are assigned and what are is the OU structure of the screenshots you shared.
If you have NetTools v1.30.11 beta or above, you can use the following AD Permissions Reporter filter to get a list where the grp.help.ADComputerManagement group has been assigned permissions. See this post on how to import the filter.
[check grp.HelpDesk.ADComputerManagement]
Count=1
Options=18437
Rule1_Enabled=1
Rule1_Options=1280
Rule1_SDControl=0
Rule1_SDNotControl=0
Rule1_SDNullAcl=0
Rule1_Prompt=0
Rule1_Trustee=grp.HelpDesk.ADComputerManagement
Rule1_Token=0
Rule1_Scope=12
Rule1_NotScope=0
Rule1_ACEType=0
Rule1_ACEFlags=0
Rule1_ACENotFlags=0
Rule1_Perms=0
Rule1_NotPerms=0
Rule1_MatchRules=546
Gary.