Q. When you use the Dsrevoke tool in a Windows Server 2003 domain it does not return all the ACEs on all the OUs?

When you run Dsrevoke /report or dsrevoke /report /root on a Windows Server 2003 domain controller in a Windows Server 2003 domain, the tool may not report all the the permission ACEs (Access Control Entries) that are specified on all the OUs (Organizational Units).

This behavior will occur if the number of OUs in the domain is greater than the MaxPageSize setting.

NOTE: MaxPageSize is the number of responses to an LDAP query and defaults to 1000.

Since OUs are arranged according to their creation dates, the OUs added last are missing or have missing ACEs.

NOTE: If there are no ACEs specified in the first MaxPageSize OUs, you receive:

No ACEs for <domain\principalname>

NOTE: If an Organizational Unit contains the / character, it is not reported and you receive:

Error occurred in finding ACEs


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish