This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 0%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
hi
I was making some changes to my domain today and mistakenly i deny read permission of authenticated users in my domain in active directory users and computers console and now i cant open this console and i have this error :
data from active directory users and computers in not available from domain contoller because the specified directory service attribute or value does not exist
how can i change this permission from another way like command or powershell?
Hi @Saeed Abdollahi ,
Just did some testing on my test domain, dsacls doesn't provide the ability to remove a specific ace that has been set. You will need to use ldp to remove the deny permission.
If you open ldp connect and bind to your ad
Select tree from the view menu and select you default NC
In the tree pane right click on the root of your domain and select advanced, security descriptor
In the dialog check all nt authority/authenticated users entries to find the deny permission
When you find the offending deny permission, delete it and then update
This worked in my test domain.
Gary.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 26%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
just I can say you saved my life. this is very useful
thank you
No worries, consider up voting the post as it will help other find it.
Gary.
Hello @Saeed Abdollahi
You can use CMD as Domain Administrator:
icacls C:\Temp\ACL /T /C /grant DOMAIN\<GroupName>:F
a sequence of simple rights:
N - no access
F - full access
M - modify access
RX - read and execute access
R - read-only access
W - write-only access
D - delete access
Hope this helps with your query,
--If the reply is helpful, please Upvote and Accept as answer--
Hi @Saeed Abdollahi ,
At what OU level in AD did you set the deny permissions, was it at the root of the domain or a lower level?
Have look at the dsacls command to see if you can list the permissions, details here https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
Gary.
at the root
If you run dsacls to show the permissions, do you get anything, I.e
Dsacls dc=<your domain>,dc=<com>
Are you run ADUC with a user that is a member of domain admins or administrators?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 71%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
This helps to resolve error