How to deny Active Directory connection account permissions to an object

Overview

When managing Active Directory, Cayosoft Administrator uses a dedicated connection account with elevated privileges. To prevent the administration of sensitive accounts, permissions can be denied for the Cayosoft Administrator Service on those objects. This article covers the steps to deny the editing permissions to the connection account.

NOTE: Review the connection account in Configuration > Connected Systems Extensions > Active Directory.

Instructions

Refer to the following steps to deny the AD connection account native rights to modify an Active Directory object:

1. Open the Active Directory Users and Computers console.

2. Click View and enable Advanced Features, if required.

3. Locate the group or any object you would like to prevent from being edited by Cayosoft Administrator. Right-click the object and click Properties.

4. Navigate to the Security tab. Click the Advanced button to open the Advanced Security Settings dialog.

5. Click Add to add a new permission entry.

6. In the Principal setting, select a principal; in the dialog, specify the AD connection account.

7. In the Type setting, set the Deny value.

8. In the very bottom of the Permission Entry dialog, click Clear All. In the top section, select Full Access.

   NOTE: You can select the Write all properties value instead to grant permissions to be able to read the object properties.

9. Click OK to save changes. Click Apply > Apply to apply the changes and finish the process.