locked
Gateway Read-Only User Dacls and Account Type RRS feed

  • Question

  • How, specifically, do I set the dacls for the read-only user that's used by the gateways? Can someone provide the correct command?

    Also, should this account be some type of managed service account / group managed service account? And for forests with multiple domains, should the account be different for each domain? 

    Many Thanks! 

    Wednesday, January 6, 2016 9:19 PM

Answers

  • Hi Alan,

    The account need to be regular user (which by default have read-only access to all containers with the exception of the "deleted object container".

    The ATA deployment guide point you to the following article:

    https://technet.microsoft.com/library/cc816824(v=ws.10).aspx

    Which have same example in the "Changing permissions on a deleted object container" section...

    Something like:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSO\ATAService:LCRP

    Please note that by default, you may need to take ownership of the container in order to change it, this done using the following command:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership

    Hope this helps,

      Microsoft ATA Team


    Thursday, January 7, 2016 6:07 PM

All replies

  • Hi Alan,

    The account need to be regular user (which by default have read-only access to all containers with the exception of the "deleted object container".

    The ATA deployment guide point you to the following article:

    https://technet.microsoft.com/library/cc816824(v=ws.10).aspx

    Which have same example in the "Changing permissions on a deleted object container" section...

    Something like:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSO\ATAService:LCRP

    Please note that by default, you may need to take ownership of the container in order to change it, this done using the following command:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership

    Hope this helps,

      Microsoft ATA Team


    Thursday, January 7, 2016 6:07 PM
  • This article points to setting permissions on an AD LDS object. Does the same apply to an AD DS object?
    Tuesday, January 12, 2016 11:07 AM
  • Hi Michael, 

    As mentioned above look for the section titled, "Changing permissions on a deleted object container

    HTH

    ATA Team


    Gershon Levitz [MSFT]

    Monday, January 18, 2016 12:08 PM