Go Up
You are here: DeploymentConfigure Netwrix Auditor Service AccountsData Collecting AccountGrant Permissions for AD Deleted Objects Container

Grant Permissions for AD Deleted Objects Container

NOTE: Perform this procedure only if the account selected for data collection is not a member of the Domain Admins group.

  1. Log on to any domain controller in the target domain with a user account that is a member of the Domain Admins group.

  2. Navigate to Start Run and type "cmd".
  3. Input the following command: dsacls <deleted_object_dn> /takeownership

    where deleted_object_dn is the distinguished name of the deleted directory object.

    For example: dsacls "CN=Deleted Objects,DC=Corp,DC=local" /takeownership

  4. To grant permission to view objects in the Deleted Objects container to a user or a group, type the following command:

    dsacls <deleted_object_dn> /G <user_or_group>:<Permissions>

    where deleted_object_dn is the distinguished name of the deleted directory object and user_or_group is the user or group for whom the permission applies, and Permissions is the permission to grant.

    For example, dsacls "CN=Deleted Objects,DC=Corp,DC=local" /G Corp\jsmith:LCRP

    In this example, the user CORP\jsmith has been granted List Contents and Read Property permissions for the Deleted Objects container in the corp.local domain. These permissions let this user view the contents of the Deleted Objects container, but do not let this user make any changes to objects in this container. These permissions are equivalent to the default permissions that are granted to the Domain Admins group.

Go Up