Removing permissions in bulk from AD

Hopefully this is a simple fix as manually it will take a long time.

The admin before me at the place I work has given "Account Operators" and "System" full access to everyones account.

The permissions are applied on the object level, so I cant just remove it and let inheritance run its course... Is there a way for me to remove all these permissions from my AD entirely and I can re-apply them as needed properly.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please clarify, are you talking about dacl?
To what portion of accounts?

System computer/system
Jian An LimSolutions ArchitectCommented:
I think the fastest way is to find out where is account operators and systems applies in AD.
you can do it on exchange powershell (hopefully you have one)

Get-ADOrganizationalUnit -filter * | %{Get-ADPermission $_.distinguishedname | ? {$_.user -like "*operator*"} } | ft -wrap

for user you just replace the ADOrganizationalunit to adgroup, aduser and etc etc

to remove it is easy, you just run  
Get-ADOrganizationalUnit -filter * | %{Get-ADPermission $_.distinguishedname | ? {$_.user -like "*operator*"}  | remove-adpermission -force:$false }

length work but better then redo it (there are no simple way to redo your AD)
CaptainGibletsAuthor Commented:
So to better clear this up.

Each object in AD (computer and User) under Security tab has a group called "Accounts Operator" which has full control of the object (giving it send as permission which is the main reason I want to remove it)

When I first create a new account, it also has this permission set however it isn't inherited. I have checked everything I can think of and cant see why this permission is being set. I can remove it manually however I want to remove it from every user / computer at the same time.

I tried running the command below, and I open the file in excel however I cant find the "account operators" permissions in there.

Get-ADPermission -identity "Test user" | export-csv -path "path"

However when I browse to the object it is there.

I have attached a picture and excel spreadsheet.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Jian An LimSolutions ArchitectCommented:
okay, you are right,
i think we are barking on a wrong tree

according to

SID: S-1-5-32-548
Name: Account Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.

So, removing them actually will start to break things, I rather to think we should remove users from this account. Of course, user will start to see impact and you need to figure out how to fix it.
CaptainGibletsAuthor Commented:
The permissions shouldn't give them "send as" or any other sort of permission.

However when I create a new user the "Account Operators" have access to everything. I want to find out where this is being applied from, as I cant find it anywhere in the hierarchy.
CaptainGibletsAuthor Commented:
If I remove the "account operators" full permissions, it has the permissions its meant to have such as read write reset password etc, that is inherited. but on every new and existing account it gets full permissions and I need to delete them before correct permissions remain from inheritance.
yo_beeDirector of Information TechnologyCommented:
This is something posted on MS social forum. Looks pretty good source of information.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You have a delegation, you would need to use dsrevoke to remove this delegation.  Presumably the account operators were granted the right to create/delete accounts.

The article yo_bee posted covers this.

dsrevoke /?  

dsrevoke /report "youraddomain\Account operators"
1st of all this is not an problem
Nobody has done this purposely
By default account operators group do not have any permissions on domain root container and domain controllers OU
Further on every OU accounts operators group by default has create /delete users, computers, groups and inetorg objects with This folder only as permissions scope unless you modify it.
Only administrators and admin groups (high privileged such as enterprise admins) groups do not have accounts operator on their acl for security reasons
Lastly for all other users and groups, accounts operators group has full control permissions with this folder only as scope
By default inheritance is enabled in active directory from top to bottom, as a fact users / groups are created with account operators group full control permissions
do not alter this model as it is designed to use delegated model
Also make sure that on every OU you have inheritance enabled in advanced NTFS security to avoid further issues
Check ACL of and domain controllers OU and make sure that accounts operators group is not defined there, If found you can simply remove it from there
U might create test active directory forest and test out above

Check attached screen shots

The best option to deal with your situation is to remove all users from accounts operators group (keep the group empty) and use AD delegation wizard
With Mahesh's recent detailed explanation and Limijiannan, addressed the default settings and functionality of the account.

Does your accounts operators group have any members?
removing the members you do not want to have such control will achieve what might be looking for.

you could create a separate group and use a GPO with rights assignment to grant them the rights you want them to have, and use group restrictions to add this group to or add members to this group.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.