Hi,
I'm trying to manage OU permission using powershell, I have $ace object created using following command:
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($OUAdminsSID,"CreateChild,DeleteChild","Allow",,"All")
The result seems correct:
ActiveDirectoryRights: CreateChild, DeleteChild
InheritanceType: All
ObjectType: 00000000-0000-0000-0000-000000000000
InheritedObjectType: 00000000-0000-0000-0000-000000000000
ObjectFlags: None
AccessControlType: Allow
IdentityReference: S-1-5-21-XXXXXXXXX-XXXXXXXXXX-725345543-533952
IsInherited: False
InheritanceFlags: ContainerInherit
PropagationFlags: None
however following command result in error:
Exception calling "CommitChanges" with "0" argument(s): "A constraint violation occurred.$ADSI.psbase.ObjectSecurity.AddAccessRule($ACE)
$ADSI.psbase.commitchanges()
"
At line:1 char:1
+ $ADSI.psbase.commitchanges()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Now the funny part: this problem occurs only in of our AD domains, it works fine in two others. And also this commands works just fine:
dsacls "OU=Country,OU=Countries,DC=Domain,Dc=COM" /G domain\superuser:CCDC /I:T
