I want to protect my service account from accidental disable/enable from all users. To accomplish this task I tried to take help of DSACLS, However I am having difficulties to achieve this goal. Below command gives me error as mentioned below . Can someone assist me to resolve my issue
---------------------------------
C:\>DSACLS "CN=serv_test,CN=Users,DC=ID,DC=COM" /D "Domain Users:RPWP;userAccountControl;user" /I:T
user is specified as Inherited Object Type. /I:S must be present.
The parameter is incorrect.
The command failed to complete successfully.
-----------------------------------
My service Accounts resides in same OU's where normal User accounts resides. Implementing on whole OU will not be feasible for me as Service Desk people will not able to perform day-today operations for Normal users. Here my goal is to selectively identify all Service accounts scattered over multiple OU's and then implement this restriction. I am able to achieve this via GUI interface but I have more than 1500+ service accounts in my domain and its not feasible through GUI and I was looking for some kind of command line solution.
Thanks
Gautam