Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-08-04) Incorrectly Ordered Permissions After Removing ACE With LDP

Posted by Jorge on 2014-08-04


I was testing something in my test environment, based upon W2K12R2, regarding the confidentiality bit and the required permissions. I had created a PowerShell script to apply the required permissions on every OU in scope for the assigned trustee. The PowerShell script works great. As you may know both DSACLS and LDP are other tools that can be used to configure the required CONTROL_ACCESS extended right. After configuring the permissions through the PowerShell, I then used LDP to remove the ACE that was configured. Rerunning the PowerShell script resulted in the error as shown below.

image

Figure 1: Error Thrown By PowerShell Because Of Incorrectly Ordered Permissions

Exception calling "SetAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be modified."
At line:8 char:1
+ $aclOU.SetAccessRule($AccessRule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

That was weird, the script just worked correctly in the previous run. After checking the permissions with ADUC or ADSIEDIT, I got the following message: "The permissions on Users are incorrectly ordered, which may cause some entries to be ineffective"

image

Figure 2: Warning Thrown By Active Directory Users And Computers (ADUC) Because Of Incorrectly Ordered Permissions

If CANCEL is clicked, nothing is changed and you will be able to view the permissions in read-only mode. You will not be able to change anything.

If REORDER is clicked, the permissions are reordered and reapplied correctly. You will now be able to change anything you like.

Funny enough if you use LDP to add an ACE, the issue does not occur. Removing an existing ACE results in this error/warning. After some testing I also found out it does not occur on every OU. Even some more testing proved this to occur when having a large number of explicit ACEs on an OU.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

3 Responses to “(2014-08-04) Incorrectly Ordered Permissions After Removing ACE With LDP”

  1. […] Also see this blog post. […]

  2. […] Also see this blog post. […]

  3. […] seeing this error you may think about incorrect ordering of ACEs, as explained in the blog post (2014-08-04) Incorrectly Ordered Permissions After Removing ACE With LDP, or might even think your AD schema is in a bad […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: