I’ve been working with Dsacls (Directory Services Access Control Lists) recently as part of a project to enabled permissions on a custom app which will synchronise an HR system with Active Directory. To ensure safe testing we cloned a DC and the application server which will run the code into an isolated network which could only be accessed via RDP from a specific administration server.
My dsacls.exe work was therefore done directly on the cloned domain controller typically from a non-elevated command prompt. This worked perfectly fine for the majority of the commands I executed till I came across one which kept presenting an access denied error as detailed below.
C:\>dsacls.exe "OU=*****DC=*****,DC=*****,DC=uk" /I:S /G "*****\*****.adsync:GA;;user"
Specified operation failed with ldap error:
00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Access is denied.
The command failed to complete successfully.
This at first seemed strange – I was running as an enterprise administrator so I figured it was unlikely to be a directory services permission issue even though the error gives the impression it is. I figured it was worth running the commands in an elevated command prompt (Run as Administrator) and lo and behold it worked.
If I understand correctly the issue is that if you are a member of special restricted groups (such as domain/enterprise admins) those group memberships are blocked from your access token. To leverage those group membership permissions you still need to run an elevated command prompt. The Sysinternals tool Process Explorer allows us to visualise this by looking at the Security tab and the flags for our group membership as shown below.
First we review the settings in a non-elevated command prompt, we can see the deny against our domain and enterprise admin groups.
Next if we review an elevated command prompt we see that both domain and enterprise admins are no longer denied.
If you find yourself running Dsacls and encounter a similar problem be sure to check you are executing the troublesome command in an elevated prompt. In my case the command which required elevation is shown both in the code block and screenshot but also below for reference, though quite heavily redacted.
- dsacls.exe “OU=*****DC=*****,DC=*****,DC=uk” /I:S /G “domainName\user.adsync:GA;;user”
If you’re interested in Dsacls these Microsoft links should prove helpful –