This PowerShell script will tighten permissions for the account provided as a parameter. Tightening permissions involves the following steps:

Type Name Access Applies To
Allow SYSTEM Full Control This object
Allow Enterprise Admins Full Control This object
Allow Domain Admins Full Control This object
Allow Administrators Full Control This object
Allow Enterprise Domain Controllers List Contents This object
Allow Enterprise Domain Controllers Read All Properties This object
Allow Enterprise Domain Controllers Read Permissions This object
Allow Authenticated Users List Contents This object
Allow Authenticated Users Read All Properties This object
Allow Authenticated Users Read Permissions This object

 

Usage:

Set-ADSyncRestrictedPermissions -ObjectDN <$ObjectDN> -Credential <$Credential>

Where:
$ObjectDN = The Active Directory account whose permissions need to be tightened. This is typically the MSOL_nnnnnnnnnnnn domain account that is configured in the AD DS connector.

$Credential = Administrator credential that has the necessary privileges to restrict Active Directory permissions on the $ObjectDN account. This is typically the Enterprise or Domain Administrator. 

 

Example:

- Go to a Domain Controller and copy the Powershell module file.

- Open a Windows PowerShell with "Run as Administrator" and run:

Import-Module .\AdSyncConfig.psm1

$credential = Get-Credential

NOTE: Please use the fully qualified domain name of the administrator account to avoid account lookup failures.

Example: contoso.com\admin.

Set-ADSyncRestrictedPermissions -ObjectDN 'CN=TestAccount1,CN=Users,DC=Contoso,DC=com' -Credential $credential 

Administrator credential that has the necessary privileges to restrict the permissions on $ObjectDN account. 
Set-ADSyncRestrictedPermissions -ObjectDN "CN=TestAccount1,CN=Users,DC=bvtadwbackdc,DC=com" -Credential $credential