Description:
You have Active Directory and Exchange servers running in your environment. One day, the Security team told you that they encounter an account with excessive access on AdminSDHolder container. The Account was "DomainName\Exchange Servers" and has Extended Rights permission of Replication Synchronization. Yow want to remove this excessive access.
First, you try to remove it through the GUI. Open AD User and Computer console, go to System, go to AdminSDHolder container. Right click, open Properties, open Security, and click Advanced. You try to search the "DomainName\Exchange Servers" with permission Replication Synchronization, but couldn't find it.
Second, you try to confirm the existence of the extended rights by running the following command:
DSACLS "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local"
And you can confirmed the existence of the permission as per below picture:
Third, your try to remove it using Exchange Management Shell, and run the following PowerShell command:
Remove-ADPermission -Identity "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local" -User "DomainName\Exchange Servers" -ExtendedRights "Replication Synchronization"
Resolution:
We can remove the Extended Rights in AdminSDHolder container with the help of LDP.exe
- Open LDP.exe
- Go to Connection > Click Connect > Click OK
- Go to Connection again > Click Bind > Click OK
- Click View > Click Tree
- Enter the Base DN "DC=DomainName ,DC=Local". Click OK
- On the left, double click Domainname, double click "CN=System, DC=DomainName, DC=Local", right click AdminSDHolder container.
- Click Advanced > Click Security Descriptor
- Check the SACL box > Click OK
- Scroll Down until you find the Rights that you want to remove
- Click Delete ACE > Select Yes
- Click Update to commit the changes
- Close the LDP.exe