Forum Discussion

Curious_Kevin16's avatar
Curious_Kevin16
Brass Contributor
May 25, 2023

Permissions required for the DSA Account - Missing the revoking of the 'ownership' in the script

Hi All, 

 

Referring to the following step of the Directory services account permission assignment, after obtaining the ownership permissions of the 'Deleted objects' container ACL, it just left as is? How do we revoke this properly? 

 

# Take ownership on the deleted objects container: $params = @("$deletedObjectsDN", '/takeOwnership') C:\Windows\System32\dsacls.exe $params

 

 

Ref - Directory Service account recommendations - Microsoft Defender for Identity | Microsoft Learn 

  • Curious_Kevin16 

    Yes, you can keep the ownership of the deleted object container. It has no impact on the permissions.

    If you want to remove the permissions you assigned, you can run the following two 2 lines instead of the two prior ones:
    $params = @("$deletedObjectsDN", '/R', $Identity)
    C:\Windows\System32\dsacls.exe $params

     

    I'll update the public documentation to include them as well.

Resources