Return
-
Title
Inherited Permissions Not Applied When Installation Of Offline Password Reset Create Computer Leaf Object. -
Description
During the installation of Offline Password Reset a Leaf Object is created in Active Directory for the Computer Object but permissions are not inherited. -
Cause
This is by design. The following Enhancement Request as been created to possibly fix this in a future release of Password Manager:
TF00790189: Permission Inheritance not enabled when creating Leaf Objects.
-
Resolution
WORKAROUND
Run this script on a machine where Active Directory PowerShell is installed, under the security context of a Domain Administrator:
$domainDN = "DC=domain,DC=local" #Change this to match the Domain DN of the environment where the script will be runforEach($object in (Get-ADObject -SearchBase $domainDN -Filter {(objectClass -eq "msDS-AppData") -AND (name -eq 'PasswordManager')} -Properties distinguishedName,nTSecurityDescriptor | ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True" })){$object.nTSecurityDescriptor.SetAccessRuleProtection($FALSE, $TRUE)Set-ADObject $object -Replace @{ntSecurityDescriptor = $object.ntSecurityDescriptor}}Running this script once will enable inheritance for all of these Password Manager leaf objects currently in the environment. These objects are periodically refreshed, so this script must be run regularly in a Windows Scheduled Task. -
Change Request
TF00790189