I am getting the warning message after upgrading the exchange 2010 to exchange 2013 as follows:
WARNING: The access control entry defines the ObjectType 'GUID' that can't be resolved.
Solution:
Get-AdPermission "dc=example,dc=edu"
After executing the Above command it will display the ACL entries for that object and also it will display the corrupted objectType. The sample output is given below:
example.edu Everyone True False
example.edu Everyone False False
example.edu NT AUTHORITY\ENTE... False False
example.edu NT AUTHORITY\Auth... False False
example.edu NT AUTHORITY\SYSTEM False False
example.edu BUILTIN\Administr... False False
example.edu S-1-5-32-554 False False
example.edu S-1-5-32-554 False False
WARNING: The object example.edu has been corrupted, and it's in an inconsistent state. The following validation happened:
WARNING: The access control entry defines the ObjectType 'acd46e6d7-8d45-4516-a4b3-61c0e509b5be' that can't be resolved..
"ActiveDirectoryRights","InheritanceType","ObjectType","InheritedObjectType","ObjectFlags","AccessControlType","IdentityReference","IsInherited","InheritanceFlags","PropagationFlags"
"ExtendedRight","All","acd46e6d7-8d45-4516-a4b3-61c0e509b5be","00000000-0000-0000-0000-000000000000","ObjectAceTypePresent","Allow","example\testGroup","False","ContainerInherit","None"
Identity User ExtendedRights AccessRights
-------- ---- -------------- ------------
example.edu example\testGroup {Change Password} {ExtendedRight}
example.edu example\testGroup {ExtendedRight}
I have highlighted the corrupted ACL entry in the example.edu container.
Right Click on example.ed domain --> Properties --> Security --> Advanced --> Select the Corrupted ACL Entry --> Remove
The issue will be resolved after removing the corrupted acl entry.
WARNING: The access control entry defines the ObjectType 'GUID' that can't be resolved.
Solution:
1. Finding the Corrupted ObjectType in the Exchange 2013.
Get-AdPermission "dc=example,dc=edu"
After executing the Above command it will display the ACL entries for that object and also it will display the corrupted objectType. The sample output is given below:
example.edu Everyone True False
example.edu Everyone False False
example.edu NT AUTHORITY\ENTE... False False
example.edu NT AUTHORITY\Auth... False False
example.edu NT AUTHORITY\SYSTEM False False
example.edu BUILTIN\Administr... False False
example.edu S-1-5-32-554 False False
example.edu S-1-5-32-554 False False
WARNING: The object example.edu has been corrupted, and it's in an inconsistent state. The following validation happened:
WARNING: The access control entry defines the ObjectType 'acd46e6d7-8d45-4516-a4b3-61c0e509b5be' that can't be resolved..
2. Finding the Corrupted ACL Entry
Get-ACl "AD:\Dc=example,dc=edu" | Select Access -ExpandProperty Access | Where-Object {$_.ObjectType -eq "'acd46e6d7-8d45-4516-a4b3-61c0e509b5be"} | Export-csv "acl.csv""ActiveDirectoryRights","InheritanceType","ObjectType","InheritedObjectType","ObjectFlags","AccessControlType","IdentityReference","IsInherited","InheritanceFlags","PropagationFlags"
"ExtendedRight","All","acd46e6d7-8d45-4516-a4b3-61c0e509b5be","00000000-0000-0000-0000-000000000000","ObjectAceTypePresent","Allow","example\testGroup","False","ContainerInherit","None"
3. Finding the Corresponding Corrupted Permissions
Get-ADPermission "dc=example,dc=edu" | Where-Object {$_.User -like "*testGroup"} ft identity,user,extendedrights,accessrightsIdentity User ExtendedRights AccessRights
-------- ---- -------------- ------------
example.edu example\testGroup {Change Password} {ExtendedRight}
example.edu example\testGroup {ExtendedRight}
I have highlighted the corrupted ACL entry in the example.edu container.
4. Removing the Corrupted ACL entry in ADUC User Interface.
Login as as a domain admin and remove the acl entry as follows:Right Click on example.ed domain --> Properties --> Security --> Advanced --> Select the Corrupted ACL Entry --> Remove
The issue will be resolved after removing the corrupted acl entry.
