D
DaveC31
Guest
Hi,
It was a little difficult to properly categorize this question (sorry if there's a better forum choice). This post is related to using Get-ACL from a Windows 10 1803 workstation against an Active Directory object hosted in Windows Server. The O/S version on the DC is Windows 2012 R2; the domainMode is 'Windows2008R2Domain' and the forestMode is 'Windows2008R2Forest'.
Some user objects in the forest contain a comma character as part of the CN, and this char gets escaped as usual when identifying the object. Sample DN:
CN=Last\, First,OU=test,dc=domain,dc=org
Up to and including Windows 10, release 1803 - we were able to capture/view the ACL on any directory object through the 'ActiveDirectory' provider. For example:
Get-ACL 'AD:\CN=Last\, First,OU=test,dc=domain,dc=org'
The cmdlet above would successfully return a 'ActiveDirectorySecurity' object.
Since the 1809 update, however, the same cmdlet returns this when the object DN contains an escape char:
ErrorCode : 8335
ServerErrorMessage : 0000208F: LdapErr: DSID-0C0907E9, comment: Error processing name, data 0, v2580
Message : The object name has bad syntax
Data : {}
InnerException : System.ServiceModel.FaultException: Active Directory returned an error processing the operation.
If we run the cmdlet against an object which does NOT contain an escaped character it returns successfully.
Was anything introduced in build 1809 which may have caused this?
Thanks,
DaveC
More...
It was a little difficult to properly categorize this question (sorry if there's a better forum choice). This post is related to using Get-ACL from a Windows 10 1803 workstation against an Active Directory object hosted in Windows Server. The O/S version on the DC is Windows 2012 R2; the domainMode is 'Windows2008R2Domain' and the forestMode is 'Windows2008R2Forest'.
Some user objects in the forest contain a comma character as part of the CN, and this char gets escaped as usual when identifying the object. Sample DN:
CN=Last\, First,OU=test,dc=domain,dc=org
Up to and including Windows 10, release 1803 - we were able to capture/view the ACL on any directory object through the 'ActiveDirectory' provider. For example:
Get-ACL 'AD:\CN=Last\, First,OU=test,dc=domain,dc=org'
The cmdlet above would successfully return a 'ActiveDirectorySecurity' object.
Since the 1809 update, however, the same cmdlet returns this when the object DN contains an escape char:
ErrorCode : 8335
ServerErrorMessage : 0000208F: LdapErr: DSID-0C0907E9, comment: Error processing name, data 0, v2580
Message : The object name has bad syntax
Data : {}
InnerException : System.ServiceModel.FaultException: Active Directory returned an error processing the operation.
If we run the cmdlet against an object which does NOT contain an escaped character it returns successfully.
Was anything introduced in build 1809 which may have caused this?
Thanks,
DaveC
More...
