When you use the Dsrevoke command-line tool to report permissions for all the organizational units in a Windows Server 2003-based domain, the tool may not return all the access control entries

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
Symptoms
On a Microsoft Windows Server 2003-based domain controller, you run one of the following command lines to report the permissions for all the organizational units in a domain:
  • dsrevoke /report
  • dsrevoke /report /root
However, if the number of organizational units in the domain exceeds the value of the MaxPageSize setting, the tool may not return all the access control entries (ACEs) that are specified on these organizational units.

Notes
  • By default, the value of the MaxPageSize setting is 1000.
  • Organizational units are arranged according to their respective creation dates.
Additionally, if there are no ACEs specified in the first 1000 organizational units, the tool returns the following message:
No ACEs for domain\principalname
Cause
This issue occurs because the report range of the Dsrevoke tool is limited by the MaxPageSize setting.
Resolution
To resolve this issue, run the following command to individually search organizational unit trees so that the total number of organizational units is less than the value of the MaxPageSize setting:
dsrevoke /report /root:ou=OU_Name
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More information
The Dsrevoke tool cannot report permissions when you use the (/) character in the name of an organizational unit. If there is an organizational unit whose name contains the (/) character, the Dsrevoke tool will return the following error message:
Error occurred in finding ACEs
References
For more information about the MaxPageSize setting, click the following article number to view the article in the Microsoft Knowledge Base:
315071 How to view and set LDAP policy in Active Directory by using Ntdsutil.exe
Properties

Article ID: 927068 - Last Review: 01/16/2015 01:55:39 - Revision: 2.0

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • kbnosurvey kbarchive kbtshoot kbprb KB927068
Feedback