Permissions required for the DSA Account - Missing the revoking of the 'ownership' in the script

Brass Contributor

Hi All, 


Referring to the following step of the Directory services account permission assignment, after obtaining the ownership permissions of the 'Deleted objects' container ACL, it just left as is? How do we revoke this properly? 


# Take ownership on the deleted objects container: $params = @("$deletedObjectsDN", '/takeOwnership') C:\Windows\System32\dsacls.exe $params




Ref - Directory Service account recommendations - Microsoft Defender for Identity | Microsoft Learn 

1 Reply


Yes, you can keep the ownership of the deleted object container. It has no impact on the permissions.

If you want to remove the permissions you assigned, you can run the following two 2 lines instead of the two prior ones:
$params = @("$deletedObjectsDN", '/R', $Identity)
C:\Windows\System32\dsacls.exe $params


I'll update the public documentation to include them as well.