Unwanted access control entry after running adprep or domainprep from Windows Server 2016 installation media

Applies to: Windows Server 2016

Symptom


After you run adprep or domainprep from Windows Server 2016 installation media, there may be an unwanted access control entry (ACE) in the discretionary access control list (DACL) of the targeted domain naming context's security descriptor (SD). The access control entry grants FullControl permission to the Enterprise Key Admins group. The security identifier (SID) of the access control entry is <forest root domain SID>-527.

Note The SID will only be resolvable after the PDC emulator role is transferred to a Windows Server 2016 domain controller.

More information


This unwanted access control entry should be considered a security risk. We recommend removing this access control entry and adding the following desired access control entry.

This sample code should help you automate removal of the unwanted entry.