Microsoft KB Archive/929492

= Several parent and child objects are missing from Active Directory in Windows Server 2003 =

Article ID: 929492

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

-



SYMPTOMS
You find that several parent and child objects are missing from the Active Directory directory service on a computer that is running Microsoft Windows Server 2003.



CAUSE
This issue occurs if users are granted the &quot;Delete Subtree&quot; permission. This permission lets users delete an object and all its child objects. This permission also lets users delete child objects of a certain object type.

When users delete an object in the Active Directory, all its child objects are also deleted. These child objects are deleted even though the user does not have permission to delete the child object.

A user can remove a whole subtree together with the parent object if the user has ADS_RIGHT_DS_DELETE_TREE access for the object type or all objects on the parent container. The discretionary access control lists (DACLs) of the child objects may not be checked. They may not be checked if the ADS_RIGHT_DS_DELETE_TREE access for the object type on the parent container is granted to the user.



WORKAROUND
To work around this issue, use a script to revoke the &quot;Delete Subtree&quot; (ADS_ RIGHT_DS_DELETE_TREE) access permission for all users on the parent container.

