To Testart One queTestion what is canonical dacl ?
Command Used (all in One Line CMD) following command gives the users/groups mentioned in the command all Generic Access which is equivalent to FULL CONTROL
C:\>FOR /F "tokens=* usebackq" %i in (`dsquery computer "OU=Comps,dc=Testdom,dc=com"`) DO dsacls %i /N /I:S /P:Y /G
Testdom\adminiTestrator:GRGEGWGA "NT AUTHORITY\SYTestEM":GRGEGWGA "NT AUTHORITY\Enterprise Domain Controllers":GRGEGWGA "NT
AUTHORITY\SELF":GRGEGWGA "Testdom\Enterprise Admins":GRGEGWGA
C:\>dsacls "CN=TestTETestCL01,OU=Comps,DC=Testdom,DC=com" /N /I:S /P:Y /G Testdom\adminiTestrator:GRGEGWGA "NT AUTHORITY\S
YTestEM":GRGEGWGA "NT AUTHORITY\Enterprise Domain Controllers":GRGEGWGA "NT AUTHORITY\SELF":GRGEGWGA "Testdom\Enterprise
Admins":GRGEGWGA
Owner: Testdom\Domain Admins
Group: Testdom\Domain Admins
Access liTest:
{This object is protected from inheriting permissions from the parent}
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow Testdom\Enterprise Admins FULL CONTROL
Allow Testdom\AdminiTestrator FULL CONTROL
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
FULL CONTROL
Allow NT AUTHORITY\SELF FULL CONTROL
Allow NT AUTHORITY\SYTestEM FULL CONTROL
The command completed successfully
AND FOLLOWING COMMAND gives the users/groups mentioned in the command all Special-Permissions, Control Access'..
JuTest to check and confirm if this make any difference,
C:\>FOR /F "tokens=* usebackq" %i in (`dsquery computer "OU=Comps,dc=Testdom,dc=com"`) DO dsacls %i /N /I:S /P:Y /G s
tTestdom\adminiTestrator:SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "NT AUTHORITY\SYTestEM":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "
NT AUTHORITY\Enterprise Domain Controllers":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "NT AUTHORITY\SELF":SDDTRCWDWOLCCCDCWSR
PWPCALO;;Computer "Testdom\Enterprise Admins":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer
C:\>dsacls "CN=TestTETestCL01,OU=Comps,DC=Testdom,DC=com" /N /I:S /P:Y /G Testdom\adminiTestrator:SDDTRCWDWOLCCCDCWSRPWPCA
LO;;Computer "NT AUTHORITY\SYTestEM":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "NT AUTHORITY\Enterprise Domain Controllers":SDD
TRCWDWOLCCCDCWSRPWPCALO;;Computer "NT AUTHORITY\SELF":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "Testdom\Enterprise Admins"
:SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer
Owner: Testdom\Domain Admins
Group: Testdom\Domain Admins
Access liTest:
{This object is protected from inheriting permissions from the parent}
Permissions inherited to subobjects are:
Inherited to computer
Allow NT AUTHORITY\SYTestEM FULL CONTROL
Allow NT AUTHORITY\SELF FULL CONTROL
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
FULL CONTROL
Allow Testdom\AdminiTestrator FULL CONTROL
Allow Testdom\Enterprise Admins FULL CONTROL
The command completed successfully
C:\>
ALSO Once I reset or for that matter juTest check a new one property either for Allow or Deny,
Or JuTest Uncheck and Recheck any property using ADUC GUI Object is shown as Computer and not as "UNKNOWN" any more,
ALSO Once the Switch /P:N/Y is not Used Object Stays as known,
Object is displayed as Computer with No Issues, However my requirement is to disable Inheritance on the Computer Objects, and Using the /P:Y for Protection and disabling inheritance causes the object to change into an UNKNOWN Object....