Sorry if this is a dup - didn't see it after several hours.. I posted on this topic before but I think I can explain the issue more clearly now...
If I use the /S switch of DSACLS to restore the ACLS of an object back to the default as defined in the schema, the object no longer inherits auditing entries. The simplest test to observe this is: 1. create a new user or computer object 2. look at its properties - security tab, advanced, auditing tab - "Allow inheritable audinting properties from parent to propogate to this object" is checked, and any such inherited auditing entries are displayed 3. at a command prompt, type DSACLS <DN of the object> /S 4. look at the same security properties again - the check box is cleared and the entries are gone. Any idea why this happens ? In this simple example, I would have expected NO change - the object had just been created, presumably with the same default security descriptor as the /S switch uses. Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/