Q. How can I revoke delegated Active Directory (AD) permissions?
John Savill
November 15, 2004
1 Min Read
A. You can revoke permissions on all containers under a passed root--for example, a domain or an organization unit (OU)--by using the Dsrevoke tool, which I describe in FAQ "How can I view the state of Active Directory (AD) permissions delegations?" To revoke permissions, you use the command syntax that I provided in that FAQ but replace the /report switch with the /remove switch, like this:
dsrevoke /remove /root:ou=testing,dc=demo,dc=test demohelpdesk
After you run Dsrevoke, the access control entries (ACEs) that match your criteria are displayed on screen, like this:
ACE #1Object: OU=testing,DC=demo,DC=testSecurity Principal: DEMOHelpDeskPermissions:READ PROPERTYWRITE PROPERTYACE Type: ALLOWACE does not apply to this objectACE inherited by all child objects of class UserACE #2Object: OU=testing,DC=demo,DC=testSecurity Principal: DEMOHelpDeskPermissions:EXTENDED ACCESSACE Type: ALLOWACE does not apply to this objectACE inherited by all child objects of class User# of ACEs for demohelpdesk = 2Do you want to remove the above listed ACEs (y/n): yAll ACEs successfully removed
To remove the ACEs, you must enter "y" (yes) at the prompt. You can then confirm the removal by running Dsrevoke to output a report:
dsrevoke /report /root:ou=testing,dc=demo,dc=test demohelpdesk
The command outputs this message:
No ACEs for demohelpdesk
About the Author
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
You May Also Like