Exchange ACL issue - Githubissues

lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.

Other

239 stars 20 forks source link

Exchange ACL issue #154

Closed CodeNameTheOnlyOne closed 2 years ago

CodeNameTheOnlyOne commented 2 years ago

not sure when this started, but i am getting an error when trying to manage any group/mailbox from ecp.

Warning The object {objectname} has been corrupted or isn't compatible with Microsoft support requirements, and it's in an inconsistent state. The following validation errors happened: The access control entry defines the ObjectType '43061ac1-c8ad-4ccc-b785-2bfac20fc60a'(Attribute msFVE-RecoveryPassword) that can't be resolved..

as this is a bitlocker permisson and the only user i see having it is the gmsvc for lithnet, im not sure if they are related.

has anyone else had this issue?

CodeNameTheOnlyOne commented 2 years ago

i removed the 2 permissons object that use "msFVE-RecoveryPassword" at the security prompt at the domain level and it has resolved my issue. i am not doing any bitlocker currently, and if i am reading the permission correctly this only allowed lithnet to read the recovery keys, hopefully not prevent them from being stored. i am assuming this property only applies to computer objects, and exchange does not know what to do with groups that have it applied. is there a way to target this permission onto my computer ou's and hopefully prevent this issue? im assuming this permission only really applies to computer objects.

ryannewington commented 2 years ago

Hi,

If you used the scripts we provide in the app to delegate bitlocker permissions, then you can modify the $ou variable and specify the OU that contains only computer objects. If you don't do this it will apply to the root of the domain and all its descendants.

The ACL itself applies to all bitlocker recovery objects (MSFVE-RECOVERYINFORMATION), not to all computers. Hence why you are seeing them on non computer objects. While these can only appear as children of computer objects, the ACLs do not understand this distinction.

Be aware that by fixing the issue, you've broken ACL inheritance to those objects. To fix this properly, I'd recommend removing the ACL at the top level completely, restore inheritance on the ACL of the exchange objects you modified, and re run the delegation script at the correct OU containing only computers. That's if you need bitlocker read access for AMS at all. If you aren't using it, then don't bother replacing with a new ACL.

CodeNameTheOnlyOne commented 2 years ago

i am not doing any bitlocker with ams currently. i will just re run the bitlocker PS script targeting my computer ou if i need to start using it.

have you not had any others using exchange and seeing this issue? seems like its a bug in exchange, and it affected both my 2019&2016 servers, both considered all groups corrupted.

i was able to edit groups with lithnet setup set the other day, not sure why it started giving me trouble now.

either way its resolved now.