cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Permissions required for the DSA Account - Missing the revoking of the 'ownership' in the script

Curious_Kevin16
Brass Contributor

‎May 25 2023 12:38 AM

‎May 25 2023 12:38 AM

Permissions required for the DSA Account - Missing the revoking of the 'ownership' in the script

Hi All, 

 

Referring to the following step of the Directory services account permission assignment, after obtaining the ownership permissions of the 'Deleted objects' container ACL, it just left as is? How do we revoke this properly? 

 

# Take ownership on the deleted objects container: $params = @("$deletedObjectsDN", '/takeOwnership') C:\Windows\System32\dsacls.exe $params

 

Curious_Kevin16_0-1685000241140.png

 

Ref - Directory Service account recommendations - Microsoft Defender for Identity | Microsoft Learn 

401 Views
0 Likes
1 Reply
Reply
1 Reply
Martin_Schvartzman

‎May 28 2023 11:22 AM

‎May 28 2023 11:22 AM

Re: Permissions required for the DSA Account - Missing the revoking of the 'ownership' in the script

@Curious_Kevin16 

Yes, you can keep the ownership of the deleted object container. It has no impact on the permissions.

If you want to remove the permissions you assigned, you can run the following two 2 lines instead of the two prior ones:
$params = @("$deletedObjectsDN", '/R', $Identity)
C:\Windows\System32\dsacls.exe $params

 

I'll update the public documentation to include them as well.

1 Like
Reply