Pages

Thursday, October 22, 2015

WARNING: The access control entry defines the ObjectType 'GUID' that can't be resolved.

I am getting the warning message after upgrading the exchange 2010 to exchange 2013 as follows:


WARNING: The access control entry defines the ObjectType 'GUID' that can't be resolved.

Solution:

1. Finding the Corrupted ObjectType in the Exchange 2013.


     Get-AdPermission "dc=example,dc=edu"

     After executing the Above command it will display the ACL entries for that object and also it will display the corrupted objectType. The sample output is given below:

example.edu     Everyone             True  False
example.edu     Everyone             False False
example.edu     NT AUTHORITY\ENTE... False False
example.edu     NT AUTHORITY\Auth... False False
example.edu     NT AUTHORITY\SYSTEM  False False
example.edu     BUILTIN\Administr... False False
example.edu     S-1-5-32-554         False False
example.edu     S-1-5-32-554         False False 


WARNING: The object example.edu has been corrupted, and it's in an inconsistent state. The following validation happened:
WARNING: The access control entry defines the ObjectType 'acd46e6d7-8d45-4516-a4b3-61c0e509b5be' that can't be resolved..

2. Finding the Corrupted ACL Entry

Get-ACl "AD:\Dc=example,dc=edu" | Select Access -ExpandProperty Access | Where-Object {$_.ObjectType -eq "'acd46e6d7-8d45-4516-a4b3-61c0e509b5be"} | Export-csv "acl.csv"

"ActiveDirectoryRights","InheritanceType","ObjectType","InheritedObjectType","ObjectFlags","AccessControlType","IdentityReference","IsInherited","InheritanceFlags","PropagationFlags"

"ExtendedRight","All","acd46e6d7-8d45-4516-a4b3-61c0e509b5be","00000000-0000-0000-0000-000000000000","ObjectAceTypePresent","Allow","example\testGroup","False","ContainerInherit","None"


3. Finding the Corresponding Corrupted Permissions

Get-ADPermission "dc=example,dc=edu" | Where-Object {$_.User -like "*testGroup"} ft identity,user,extendedrights,accessrights

Identity                      User                          ExtendedRights                AccessRights
--------                      ----                          --------------                ------------
example.edu              example\testGroup          {Change Password}  {ExtendedRight}
example.edu              example\testGroup                                           {ExtendedRight}

I have highlighted the corrupted ACL entry in the example.edu container.

4. Removing the Corrupted ACL entry in ADUC User Interface.

Login as as a domain admin and remove the acl entry as follows:

Right Click on example.ed domain --> Properties --> Security -->  Advanced --> Select the Corrupted ACL Entry --> Remove

The issue will be resolved after removing the corrupted acl entry.





8 comments:

  1. Great how-to. After working through the commands it turns out to be "Self" and "Creator Owner". What could that mean?

    ReplyDelete
  2. Yes, mine was self as well. Don't know what to do!

    ReplyDelete
  3. When "Creator Owner" and or "self" give this error of course do not delete these. Check Active Directory and see if everything is allright. First fix AD if neccecary and then do an iisreset. I had this problem when i had extended the AD schema from 2012 R2 to 2016. iisreset fixed it.

    ReplyDelete
    Replies
    1. Great !! We had the same issue after performing AD Schema 2016 update.

      Once after we performed the IIS Reset in all Exchange 2016 Server, the issue was resolved. Thank you :)

      Delete
    2. Well done Bart - this worked for us too, great shout on the schema extension as cause and a simple fix.

      Delete
    3. Well done. Hard to find good quality responses these days.

      Delete
  4. In part 3, How do you tell which record is the corrupted one ?

    ReplyDelete
  5. It is important to note that steps 1 and 3, you must run from the Exchange Management Shell; And in step 2 you must import the AD module ("import-module activedirectory") or you will receive a drive letter error.

    ReplyDelete