• State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 20 subscribers
  • Views 2273 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The DACL was changed for the group object CN=Schema Admins . . .

david.werner
over 5 years ago

Hi,

Environment:

Change Auditor 6.9.1 / Build 3131

Change Auditor Active Directory

Domain function level: Windows 2012R2

I see the following events in Change Auditor:

The DACL was changed for the group object CN=Schema Admins . .

The event states is tries to change the permissions on this object:

Changes: Operation Type Account Permission Scope Condition
Permission Removed Allow Pre-Windows 2000 Compatible Access Read Account Restrictions This object only 
Permission Removed Allow Pre-Windows 2000 Compatible Access Read Account Restrictions This object only 
Permission Removed Allow Pre-Windows 2000 Compatible Access Read Logon Information This object only 
Permission Removed Allow Pre-Windows 2000 Compatible Access Read Logon Information This object only 
Permission Removed Allow Pre-Windows 2000 Compatible Access Read Group Membership This object only 
Permission Removed Allow Pre-Windows 2000 Compatible Access Read Group Membership This object only 
Permission Removed Allow  Change Password This object and all child objects 
Permission Removed Allow  Read Exchange Personal Information This object and all child objects 
Permission Removed Allow  Read canonicalName This object and all child objects 
Permission Removed Allow  Read userAccountControl This object and all child objects 
Permission Removed Allow  Read Exchange Information This object and all child objects 
Permission Removed Allow  Read memberOf This object and all child objects 
Permission Removed Allow  Read garbageCollPeriod This object and all child objects 
Permission Removed Allow  Write proxyAddresses This object and all child objects 
Permission Removed Allow  Write showInAddressBook This object and all child objects 
Permission Removed Allow  Write Exchange Personal Information This object and all child objects 
Permission Removed Allow  Write adminDisplayName This object and all child objects 
Permission Removed Allow  Write groupType This object and all child objects 
Permission Removed Allow  Write msExchMailboxSecurityDescriptor This object and all child objects 
Permission Removed Allow  Write msExchUMServerWritableFlags This object and all child objects 
Permission Removed Allow  Write displayName This object and all child objects 
Permission Removed Allow  Write msExchUserCulture This object and all child objects 
Permission Removed Allow  Write displayNamePrintable This object and all child objects 
Permission Removed Allow  Write mail This object and all child objects 
Permission Removed Allow  Write msExchMobileMailboxFlags This object and all child objects 
Permission Removed Allow  Write userCertificate This object and all child objects 
Permission Removed Allow  Write textEncodedORAddress This object and all child objects 
Permission Removed Allow  Write Exchange Information This object and all child objects 
Permission Removed Allow  Write publicDelegates This object and all child objects 
Permission Removed Allow  Write publicDelegates This object and all child objects 
Permission Removed Allow  Write msExchUMSpokenName This object and all child objects 
Permission Removed Allow  Write garbageCollPeriod This object and all child objects 
Permission Removed Allow  Write msExchUMPinChecksum This object and all child objects 
Permission Removed Allow  Write legacyExchangeDN This object and all child objects 
Permission Removed Allow  Full control This object and all child objects 
Permission Removed Allow  Modify Permissions group objects 
Permission Removed Allow Pre-Windows 2000 Compatible Access Read All Properties + List Object + List Contents + Read Permissions This object only 
Permission Removed Allow Pre-Windows 2000 Compatible Access Read All Properties + List Object + List Contents + Read Permissions This object only 
Permission Removed Allow  Read All Properties + List Object + List Contents + Read Permissions This object and all child objects 
Permission Added Allow Pre-Windows 2000 Compatible Access Read All Properties + List Object + List Contents + Read Permissions This object only 

Schema Admins is protected in Change Auditor, so the changes were not successful.

My question is, where are these permissions coming from that Change Auditor thinks it needs to change them?

David