AD LDS: Constraint Violation error when trying to change owner information of the security descriptor of some object in the directory

ft 1 Reputation point
2020-11-30T11:27:05.48+00:00

Hello everyone,
Maybe someone can help me understand. I create new AD LDS instance using adaminstall wizard and specify group D1 as a group that have administrative privileges for the instance.
After that I connect to my new instance using ldp.exe and bind as user userd1 that is a member of D1 group. Here I need to say that userd1 has no special rights on the local machine where I created AD LDS instance, it's just an ordinary domain user.

Now I try to update owner information (e.g. right click on CN=Configuration -> Advanced -> Security Descriptor -> just mark Update: Owner check box and click Update) of any object in the directory and get the following error in return:

ldap_modify_ext_s(ld, 'CN=Configuration,CN={C47F44A6-81EA-40EC-A228-E08714402D1C}', attrs, SvrCtrls, ClntCtrls);
Error: Modify: Constraint Violation. <19>
Server error: 0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
Error 0x51B This security ID may not be assigned as the owner of this object.

After some trial and error, I found out that if I give userd1 SeRestorePrivilege privilege (or just add the user to Local Administrators group) on the local machine then I can successfully update owner information of any object in the directory.

Therefore, my questions are:

  1. Why does userd1 have to have any additional rights on the local machine in order to change owner information of objects in the AD LDS directory. Why is it not enough to be a member of administrators group of that AD LDS instance? Administrators have full control of objects in directory including WRITE_OWNER right.

2) Is there a way to be able to update owner information and not adding user to Local Admins group or giving him "Restore files or directories" privilege on the local machine?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vicky Wang 2,646 Reputation points
    2020-12-03T09:21:17.933+00:00

    Hi,
    Thanks for the update, I may need some time to research it. Update here as soon as progress is made
    Thank you for your understanding and support
    Best wishes
    Vicky

    1 person found this answer helpful.
  2. Vicky Wang 2,646 Reputation points
    2020-12-01T09:29:01.19+00:00

    Hi,

    Are you trying to use Group Policy to set up its Folder Redirection component?

    Group Policy has an option to set up the Folder Redirection component as Basic, Advanced, or None. On the Target tab, if you click the Basic setting, and then under Settings, you click to select the Grant the user exclusive rights to the folder name check box, the Folder Redirection component is unsuccessful and event messages can be displayed.

    To resolve this problem:

    1. Load the appropriate Group Policy from the domain.
    2. Click User Configuration, click Windows Setting, and then click Folder Redirection.
    3. Right-click the appropriate Folder Redirection component, and then click Properties.
    4. Click the Basic setting in the Target tab, and then under Settings, click to clear the Grant the user exclusive rights to the folder name check box.
    5. Save the settings, and then quit.

    For more information, please refer to http://support.microsoft.com/kb/291087

    If this does not address the problem, please check if there is any relevant error in event log.

    Regards,
    Vicky

    0 comments
  3. ft 1 Reputation point
    2020-12-01T13:29:17.773+00:00

    Hi @Vicky Wang !
    Thank you for the answer but unfortunately it does not address my problem. I was not talking about folder redirection; I was talking about AD LDS (Active Directory Lightweight Directory Services).

    I'll add some screenshots to better explain what I am trying to do.

    Firstly, I use Adaminstall Wizard (which is found here Windows\ADAM\adaminstall.exe) to create new AD LDS instance and set group D1 to administer this AD LDS instance:

    44036-image.png

    Then I connect to my newly created AD LDS instance using ldp.exe and bind as userd1, which belongs to D1 group and thus have administrative rights for objects in this Directory

    44101-image.png

    Now I try to update owner information of security descriptor of an object in the Directory. For example, let's take the root CN=Configuration,CN=... object
    44055-image.png

    If I click Update now I will get this error

    43958-image.png

    But if I give userd1 "Restore files or directories" privilege on the local machine
    44009-image.png

    Then everything work fine, no errors popping up.

    So, the two questions that I have are:

    1. Why is it not enough to be administrator of AD LDS to be able to change owner information? I can see that administrators have full control over the objects in the Directory but still this mysterious "Constraint Violation" appears.

    44132-image.png

    2) I would like to avoid giving "Restore files or directories" privilege to userd1 on the machine running AD LDS instance but be able to change owner information of objects in the directory using this user. Is there a way?

    0 comments
  4. HT IT Coordinator 1 Reputation point
    2022-04-22T20:05:54.42+00:00

    well, that went well.....
    ....

    0 comments