Monday, June 13, 2005
W2K Tip: Use Dsrevoke.exe to undo the changes made by the Delegation of Control Wizard
Use Dsrevoke.exe to undo the changes made by the Delegation of Control Wizard
The Delegation Of Control Wizard in Active Directory Users and Computers makes it easy for you to delegate the management of an organizational unit to a user or group. Unfortunately, if you want to undo this delegation, there really isn't any easy way for you to do so. (There isn't a wizard or dialog box to undo these changes.) In the past, to revoke the actions of the Delegation Of Control Wizard, your only choice was to manually remove the permissions it assigns. To help you avoid such time-consuming work, Microsoft released a command line utility that enables you to undo the actions of the Delegation Of Control Wizard: Dsrevoke.exe.
You can download Dsrevoke.exe and its documentation by going to
http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383&DisplayLang=en.
We recommend that you copy the Dsrevoke.exe file to the \%SystemRoot%\ folder so it will be in your search path when you run it from a Command Prompt window. You can run Dsrevoke.exe on Windows 2000, Windows XP, and Windows Server 2003 computers to revoke the permissions delegated in Windows 2000 or Windows Server 2003 Active Directory domains.
To remove the permissions assigned by the Delegation of Control Wizard, use this basic syntax:
dsrevoke /remove domain\account_name
Replace domain\account_name with the appropriate values for your environment, and use quotes if the account name contains a space. When you enter this command, you'll be prompted to confirm that you want to remove the permissions delegations. Type Y for yes, and press [Enter].
Unless you specify otherwise, this command deletes all permissions assignments to the user or group for your domain. If you want to delete only the permissions assignments within an organizational unit (OU), you should use this command instead:
dsrevoke /remove "/root:ou=ou_name,dc=domain,dc=domain" domain\account_name
In this syntax, replace ou_name with the name of the OU from which you want to remove the user or group's permissions. Replace dc=domain, dc=domain with the appropriate portions of your organization's DNS domain name. For example, if your domain name is company.com and you want to remove the Marketing Managers group's delegated permissions from the Marketing OU, you should use this command:
dsrevoke /remove "/root:ou=Marketing, dc=company,dc=com"
The Delegation Of Control Wizard in Active Directory Users and Computers makes it easy for you to delegate the management of an organizational unit to a user or group. Unfortunately, if you want to undo this delegation, there really isn't any easy way for you to do so. (There isn't a wizard or dialog box to undo these changes.) In the past, to revoke the actions of the Delegation Of Control Wizard, your only choice was to manually remove the permissions it assigns. To help you avoid such time-consuming work, Microsoft released a command line utility that enables you to undo the actions of the Delegation Of Control Wizard: Dsrevoke.exe.
You can download Dsrevoke.exe and its documentation by going to
http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383&DisplayLang=en.
We recommend that you copy the Dsrevoke.exe file to the \%SystemRoot%\ folder so it will be in your search path when you run it from a Command Prompt window. You can run Dsrevoke.exe on Windows 2000, Windows XP, and Windows Server 2003 computers to revoke the permissions delegated in Windows 2000 or Windows Server 2003 Active Directory domains.
To remove the permissions assigned by the Delegation of Control Wizard, use this basic syntax:
dsrevoke /remove domain\account_name
Replace domain\account_name with the appropriate values for your environment, and use quotes if the account name contains a space. When you enter this command, you'll be prompted to confirm that you want to remove the permissions delegations. Type Y for yes, and press [Enter].
Unless you specify otherwise, this command deletes all permissions assignments to the user or group for your domain. If you want to delete only the permissions assignments within an organizational unit (OU), you should use this command instead:
dsrevoke /remove "/root:ou=ou_name,dc=domain,dc=domain" domain\account_name
In this syntax, replace ou_name with the name of the OU from which you want to remove the user or group's permissions. Replace dc=domain, dc=domain with the appropriate portions of your organization's DNS domain name. For example, if your domain name is company.com and you want to remove the Marketing Managers group's delegated permissions from the Marketing OU, you should use this command:
dsrevoke /remove "/root:ou=Marketing, dc=company,dc=com"
# posted by One Level : Monday, June 13, 2005
