Skip to content

Commit 3867027

Browse files
batamigbatamig
committed
sanity - up to directory service accounts
1 parent 735214d commit 3867027

File tree

1 file changed

+52
-0
lines changed

1 file changed

+52
-0
lines changed

includes/dsa-permissions.md

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
---
2+
title: include file
3+
description: include file
4+
author: batamig
5+
ms.date: 06/08/2023
6+
---
7+
8+
The DSA requires read permissions on all objects in Active Directory, including the **Deleted Objects** container.
9+
10+
The read-only permissions on the **Deleted Objects** container allows Defender for Identity to detect user deletions from your Active Directory.
11+
12+
Use the following code sample to help you grant the required read permissions on the **Deleted Objects** container, whether or not you're using a gMSA account.
13+
14+
```powershell
15+
# Declare the identity that you want to add read access to the deleted objects container:
16+
$Identity = 'mdiSvc01'
17+
18+
# If the identity is a gMSA, first to create a group and add the gMSA to it:
19+
$groupName = 'mdiUsr01Group'
20+
$groupDescription = 'Members of this group are allowed to read the objects in the Deleted Objects container in AD'
21+
if(Get-ADServiceAccount -Identity $Identity -ErrorAction SilentlyContinue) {
22+
$groupParams = @{
23+
Name = $groupName
24+
SamAccountName = $groupName
25+
DisplayName = $groupName
26+
GroupCategory = 'Security'
27+
GroupScope = 'Universal'
28+
Description = $groupDescription
29+
}
30+
$group = New-ADGroup @groupParams -PassThru
31+
Add-ADGroupMember -Identity $group -Members ('{0}$' -f $Identity)
32+
$Identity = $group.Name
33+
}
34+
35+
# Get the deleted objects container's distinguished name:
36+
$distinguishedName = ([adsi]'').distinguishedName.Value
37+
$deletedObjectsDN = 'CN=Deleted Objects,{0}' -f $distinguishedName
38+
39+
# Take ownership on the deleted objects container:
40+
$params = @("$deletedObjectsDN", '/takeOwnership')
41+
C:\Windows\System32\dsacls.exe $params
42+
43+
# Grant the 'List Contents' and 'Read Property' permissions to the user or group:
44+
$params = @("$deletedObjectsDN", '/G', ('{0}\{1}:LCRP' -f ([adsi]'').name.Value, $Identity))
45+
C:\Windows\System32\dsacls.exe $params
46+
47+
# To remove the permissions, uncomment the next 2 lines and run them instead of the two prior ones:
48+
# $params = @("$deletedObjectsDN", '/R', ('{0}\{1}' -f ([adsi]'').name.Value, $Identity))
49+
# C:\Windows\System32\dsacls.exe $params
50+
```
51+
52+
For more information, see [Changing permissions on a deleted object container](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816824(v=ws.10)).

0 commit comments

Comments
 (0)