Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Unwanted access control entry after running adprep or domainprep from Windows Server 2016 installation media

Unwanted access control entry after running adprep or domainprep from Windows Server 2016 installation media

View products that this article applies to.

Symptom

After you run adprep or domainprep from Windows Server 2016 installation media, there may be an unwanted access control entry (ACE) in the discretionary access control list (DACL) of the targeted domain naming context's security descriptor (SD). The access control entry grants FullControl permission to the Enterprise Key Admins group. The security identifier (SID) of the access control entry is <forest root domain SID>-527.

Note The SID will only be resolvable after the PDC emulator role is transferred to a Windows Server 2016 domain controller.

↑ Back to the top

More information

This unwanted access control entry should be considered a security risk. We recommend removing this access control entry and adding the following desired access control entry.

This sample code should help you automate removal of the unwanted entry.

↑ Back to the top

Keywords: kbsurveynew, Active Directory domain or forest functional level updates

↑ Back to the top

Article Info
Article ID : 4469393
Revision : 17
Created on : 11/9/2018
Published on : 11/9/2018
Exists online : False
Views : 2771