Security Settings in Active Directory

[Mike Flemming]

Hi,

I have recently inherited a very poorly configured Windows 2000 network. The
previous administrator didn't know what he was doing and has completly
shafted the permissions in Active Directory. I know this is the case because
when I right click certain users/objects and click on the Security Tab, I
can see inherited permissions is no longer ticked.

The ideal solution would be to start from scratch but alas this is not
possible so I need to find some way of resetting active directory back to
it's default permissions.

Is there any way with script or any other means I can restore default
settings to AD?

hope you can help.

tia

 

[Stevta [MSFT]]

DSACLS.EXE has the abilty to reset ACLS to the default.
You can also use the C:\winnt\security\templates. You can
use the secedit command to reapply these security
templates and this will help reset the file system and
registry back to a known state on your DC's.

 

[Joe Richards [MVP]]

Note that certain objects are supposed to not have inheritence. Specifically admin id's and other id's with enhanced
native rights.

 

[Mike Flemming]

thanks, are there any Knowledge base articles related to doing this?

 

[Mike Flemming]

I see, where are the user-rights inherited from in the first place?

Note that certain objects are supposed to not have inheritence.

Specifically admin id's and other id's with enhanced

 

[Joe Richards [MVP]]

Permissions on user objects initially come from the schema. There is a default sd defined for every object. Doing a
schema reset through dsacls will take an object back to the schema default. Now if the object is something that is
controlled by the adminsdholder functionality (high native rights accounts or those that were previously) then once an
hour, their ACL's will get updated. See adminsdholder on the MSKB Site for that functionality description.

--
Joe Richards
www.joeware.net