This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Gateway Read-Only User Dacls and Account Type

Question
0

Sign in to vote

How, specifically, do I set the dacls for the read-only user that's used by the gateways? Can someone provide the correct command?

Also, should this account be some type of managed service account / group managed service account? And for forests with multiple domains, should the account be different for each domain?

Many Thanks!

Wednesday, January 6, 2016 9:19 PM

Answers

0

Sign in to vote
Hi Alan,

The account need to be regular user (which by default have read-only access to all containers with the exception of the "deleted object container".

The ATA deployment guide point you to the following article:

https://technet.microsoft.com/library/cc816824(v=ws.10).aspx

Which have same example in the "Changing permissions on a deleted object container" section...

Something like:

dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSO\ATAService:LCRP

Please note that by default, you may need to take ownership of the container in order to change it, this done using the following command:

dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership

Hope this helps,

Microsoft ATA Team
- Edited by ophirpMicrosoft employee Thursday, January 7, 2016 6:11 PM Add specific example
- Marked as answer by Alan_Sigudo Thursday, January 7, 2016 8:53 PM
Thursday, January 7, 2016 6:07 PM

All replies

0

Sign in to vote
Hi Alan,

The account need to be regular user (which by default have read-only access to all containers with the exception of the "deleted object container".

The ATA deployment guide point you to the following article:

https://technet.microsoft.com/library/cc816824(v=ws.10).aspx

Which have same example in the "Changing permissions on a deleted object container" section...

Something like:

dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSO\ATAService:LCRP

Please note that by default, you may need to take ownership of the container in order to change it, this done using the following command:

dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership

Hope this helps,

Microsoft ATA Team
- Edited by ophirpMicrosoft employee Thursday, January 7, 2016 6:11 PM Add specific example
- Marked as answer by Alan_Sigudo Thursday, January 7, 2016 8:53 PM
Thursday, January 7, 2016 6:07 PM
0

Sign in to vote

This article points to setting permissions on an AD LDS object. Does the same apply to an AD DS object?

Tuesday, January 12, 2016 11:07 AM
0

Sign in to vote

Hi Michael,

As mentioned above look for the section titled, "Changing permissions on a deleted object container"

HTH

ATA Team
Gershon Levitz [MSFT]

Monday, January 18, 2016 12:08 PM