A. You can revoke permissions on all containers under a passed root--for example, a domain or an organization unit (OU)--by using the Dsrevoke tool, which I describe in FAQ "How can I view the state of Active Directory (AD) permissions delegations?" To revoke permissions, you use the command syntax that I provided in that FAQ but replace the /report switch with the /remove switch, like this:
dsrevoke /remove /root:ou=testing,dc=demo,dc=test demo\helpdesk
After you run Dsrevoke, the access control entries (ACEs) that match your criteria are displayed on screen, like this:
ACE #1 Object: OU=testing,DC=demo,DC=test Security Principal: DEMO\HelpDesk Permissions: READ PROPERTY WRITE PROPERTY ACE Type: ALLOW ACE does not apply to this object ACE inherited by all child objects of class User ACE #2 Object: OU=testing,DC=demo,DC=test Security Principal: DEMO\HelpDesk Permissions: EXTENDED ACCESS ACE Type: ALLOW ACE does not apply to this object ACE inherited by all child objects of class User # of ACEs for demo\helpdesk = 2 Do you want to remove the above listed ACEs (y/n): y All ACEs successfully removed
To remove the ACEs, you must enter "y" (yes) at the prompt. You can then confirm the removal by running Dsrevoke to output a report:
dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk
The command outputs this message:
No ACEs for demo\helpdesk
0 comments
Hide comments
