$ADSI.comitchanges() - A constraint violation occurred

Hi,

I'm trying to manage OU permission using powershell, I have $ace object created using following command:

$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($OUAdminsSID,"CreateChild,DeleteChild","Allow",,"All")

The result seems correct:

ActiveDirectoryRights: CreateChild, DeleteChild
InheritanceType: All
ObjectType: 00000000-0000-0000-0000-000000000000
InheritedObjectType: 00000000-0000-0000-0000-000000000000
ObjectFlags: None
AccessControlType: Allow
IdentityReference: S-1-5-21-XXXXXXXXX-XXXXXXXXXX-725345543-533952
IsInherited: False
InheritanceFlags: ContainerInherit
PropagationFlags: None

however following command result in error:

$ADSI.psbase.ObjectSecurity.AddAccessRule($ACE)
$ADSI.psbase.commitchanges()
Exception calling "CommitChanges" with "0" argument(s): "A constraint violation occurred.
"
At line:1 char:1
+ $ADSI.psbase.commitchanges()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Now the funny part: this problem occurs only in of our AD domains, it works fine in two others. And also this commands works just fine:

dsacls "OU=Country,OU=Countries,DC=Domain,Dc=COM" /G domain\superuser:CCDC /I:T


  • Edited by Luká Kuera Friday, January 23, 2015 12:11 PM
January 23rd, 2015 3:10pm

This: $OUAdminsSID

Needs to be converted to an NTAccount object.

$ntacount=New-Object System.Security.Principal.NTAccount("domamin\kenmyer&

Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2015 6:12pm

Hi Luk Kueram,

To set permission on AD Objects, please refer to this example:

Assign a computer object with Full Control permission on an OU:

$SysManObj = [ADSI]("LDAP://OU=test.,DC=com") #get the OU object 
$computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID 
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
$SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
$SysManObj.psbase.commitchanges()

Refer to:

Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

If there is anything else regarding this issue, please feel free to post back.

If you have any feedback on our support, please click here.

Best Regards,

Anna Wang

TechNet Community Support

February 4th, 2015 8:20am

Hi Luk Kueram,

Im writing to just check in to see if the suggestions were helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.

If you have any feedback on our support, please click here.

Best Regards,

Anna Wang

TechNet Community Support

Free Windows Admin Tool Kit Click here and download it now
February 6th, 2015 1:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics