locked
Remove ACL on AD user Object RRS feed

  • Question

  • Hi all,

    for one project in my company, i have to add a deny acl on user object for an account service, it's ok, it's works with this PowerShell command :

     Add-ADPermission -Identity "my user" -User "my service account" -AccessRights ReadProperty -Deny

    My problem is that i'm unable to delete "my service account" on the ad user object with a script.

    Anyone can tell me how can i delete "my service account" on acl for the ad user object ?

    Thanks by advance.

    Regards.

    Tuesday, February 16, 2016 11:22 AM

Answers

  • Either the ACE is wrong, the object is wrong or there is no ACE matching that specification or you have to wrong specification.

    Remove-ADPermission -Identity myidentity -User myserviceaccount -AccessRightsReadProperty -Deny

    You need to specify "Deny"


    \_(ツ)_/

    • Marked as answer by ToniooSTM Tuesday, February 16, 2016 10:27 PM
    Tuesday, February 16, 2016 10:22 PM

All replies

  • Tuesday, February 16, 2016 5:34 PM
  • It's doesn't work for me,

    You have to specify either AccessRights or ExtendedRights parameter.

    i don't know what paramters that i have to put.

    Thanks.

    Tuesday, February 16, 2016 9:55 PM
  • ReadProperty  is an Accessright

    \_(ツ)_/

    Tuesday, February 16, 2016 9:56 PM
  • Thanks for you answer but it's not work :

    Remove-ADPermission-Identity"myidentity"-User"myserviceaccount"-AccessRightsReadProperty

    WARNING: Can't remove the access control entry on the object "CN=myidentity,OU=_TEST,,DC=XXXX,DC=XXXX,DC=XXX" for account "myserviceaccount" because the ACE doesn't exist on

    the object.

    Thanks

    Tuesday, February 16, 2016 10:08 PM
  • Either the ACE is wrong, the object is wrong or there is no ACE matching that specification or you have to wrong specification.

    Remove-ADPermission -Identity myidentity -User myserviceaccount -AccessRightsReadProperty -Deny

    You need to specify "Deny"


    \_(ツ)_/

    • Marked as answer by ToniooSTM Tuesday, February 16, 2016 10:27 PM
    Tuesday, February 16, 2016 10:22 PM
  • Thanks it's works :)

    Tuesday, February 16, 2016 10:28 PM
  • ACEs are always found by exact match of all items in the ACE.

    \_(ツ)_/

    Tuesday, February 16, 2016 10:29 PM