Hi,
Thanks for the update, I may need some time to research it. Update here as soon as progress is made
Thank you for your understanding and support
Best wishes
Vicky
AD LDS: Constraint Violation error when trying to change owner information of the security descriptor of some object in the directory
Hello everyone,
Maybe someone can help me understand. I create new AD LDS instance using adaminstall wizard and specify group D1 as a group that have administrative privileges for the instance.
After that I connect to my new instance using ldp.exe and bind as user userd1 that is a member of D1 group. Here I need to say that userd1 has no special rights on the local machine where I created AD LDS instance, it's just an ordinary domain user.
Now I try to update owner information (e.g. right click on CN=Configuration -> Advanced -> Security Descriptor -> just mark Update: Owner check box and click Update) of any object in the directory and get the following error in return:
ldap_modify_ext_s(ld, 'CN=Configuration,CN={C47F44A6-81EA-40EC-A228-E08714402D1C}', attrs, SvrCtrls, ClntCtrls);
Error: Modify: Constraint Violation. <19>
Server error: 0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
Error 0x51B This security ID may not be assigned as the owner of this object.
After some trial and error, I found out that if I give userd1 SeRestorePrivilege privilege (or just add the user to Local Administrators group) on the local machine then I can successfully update owner information of any object in the directory.
Therefore, my questions are:
- Why does userd1 have to have any additional rights on the local machine in order to change owner information of objects in the AD LDS directory. Why is it not enough to be a member of administrators group of that AD LDS instance? Administrators have full control of objects in directory including WRITE_OWNER right.
2) Is there a way to be able to update owner information and not adding user to Local Admins group or giving him "Restore files or directories" privilege on the local machine?
4 answers
Sort by: Most helpful
-
Vicky Wang 2,646 Reputation points
2020-12-03T09:21:17.933+00:00 -
Vicky Wang 2,646 Reputation points
2020-12-01T09:29:01.19+00:00 Hi,
Are you trying to use Group Policy to set up its Folder Redirection component?
Group Policy has an option to set up the Folder Redirection component as Basic, Advanced, or None. On the Target tab, if you click the Basic setting, and then under Settings, you click to select the Grant the user exclusive rights to the folder name check box, the Folder Redirection component is unsuccessful and event messages can be displayed.
To resolve this problem:
- Load the appropriate Group Policy from the domain.
- Click User Configuration, click Windows Setting, and then click Folder Redirection.
- Right-click the appropriate Folder Redirection component, and then click Properties.
- Click the Basic setting in the Target tab, and then under Settings, click to clear the Grant the user exclusive rights to the folder name check box.
- Save the settings, and then quit.
For more information, please refer to http://support.microsoft.com/kb/291087
If this does not address the problem, please check if there is any relevant error in event log.
Regards,
Vicky -
ft 1 Reputation point
2020-12-01T13:29:17.773+00:00 Hi @Vicky Wang !
Thank you for the answer but unfortunately it does not address my problem. I was not talking about folder redirection; I was talking about AD LDS (Active Directory Lightweight Directory Services).I'll add some screenshots to better explain what I am trying to do.
Firstly, I use Adaminstall Wizard (which is found here Windows\ADAM\adaminstall.exe) to create new AD LDS instance and set group D1 to administer this AD LDS instance:
Then I connect to my newly created AD LDS instance using ldp.exe and bind as userd1, which belongs to D1 group and thus have administrative rights for objects in this Directory
Now I try to update owner information of security descriptor of an object in the Directory. For example, let's take the root CN=Configuration,CN=... object
If I click Update now I will get this error
But if I give userd1 "Restore files or directories" privilege on the local machine
Then everything work fine, no errors popping up.
So, the two questions that I have are:
- Why is it not enough to be administrator of AD LDS to be able to change owner information? I can see that administrators have full control over the objects in the Directory but still this mysterious "Constraint Violation" appears.
2) I would like to avoid giving "Restore files or directories" privilege to userd1 on the machine running AD LDS instance but be able to change owner information of objects in the directory using this user. Is there a way?
-
HT IT Coordinator 1 Reputation point
2022-04-22T20:05:54.42+00:00 well, that went well.....
....