We’ve had one of our AD Domain Controllers reporting that it didn’t have the SACL right. This was logged constantly on event ID 2080. We tried nearly everything but without success. This morning I came up with a solution to fix it, while trying to desperately find the ntSecurityDescriptor property in ADSI Edit and other places. Well, it’s more simple than that!

On whatever DC, fire up Active Directory Users & Computers, click on the View menu and select Advanced Features. Then browse to Domain Controllers OU, right click on the DC which misses the SACL right and select Properties. Click on the Security tab and select Advanced. Be patient… then on the Permissions tab, click on Add … Select the Exchange Servers security group and click on OK. You will see a dialog with two tabs: Object and Properties. Select Properties. Then scroll down until you find Read nTSecurityDescriptor. Check Allow, click on OK as much as needed to close the window. Then check your event log after a while. Your DC should now report that it has the SACL right.