Access to AD Objects or Containers

Note: This section only applies for a Tenable Identity Exposure license for the Indicator of Exposure module.

Tenable Identity Exposure does not require administrative privileges to achieve its security monitoring.

This approach relies on the ability of the user account that Tenable Identity Exposure uses to read all Active Directory objects stored in a domain (including user accounts, organizational units, groups, etc.).

By default, most objects have a read access for the group Domain Users that the Tenable Identity Exposure service account uses. However, you must manually configure some containers to allow read access for the Tenable Identity Exposure user account.

The following table details the Active Directory objects and containers that require manual configuration for read access on each domain that Tenable Identity Exposure monitors.

Location of the Container


CN=Deleted Objects,DC=<DOMAIN>,DC=<TLD>

A container that hosts deleted objects.

CN=Password Settings Container,CN=System, DC=<DOMAIN>,DC=<TLD>

(Optional) A container that hosts Password Settings Objects.

To grant access to AD objects and containers:

  • In the domain controller's command line interface, run the following command to grant access to Active Directory objects or containers:

    Note: You must run this command on each domain that Tenable Identity Exposure monitors.
    #Set Service Account
    $serviceAccount = "<SERVICE_ACCOUNT>"

    #Don't Edit after here
    $domain = Get-ADDomain
    @($domain.DeletedObjectsContainer, "CN=Password Settings Container,$($domain.SystemsContainer)") | ForEach-Object {
        & dsacls $_ /takeownership
        & dsacls $_ /g "$($serviceAccount):LCRP" /I:T
    where <__SERVICE_ACCOUNT__> refers to the service account that uses.
  • If PowerShell is not available, you can also execute these commands for each container:

    dsacls "<__CONTAINER__>" /takeownership
    dsacls "<__CONTAINER__>" /g <__SERVICE_ACCOUNT__>:LCRP /I:T


    • <__CONTAINER__> refers to the container that requires access.
    • <__SERVICE_ACCOUNT__> refers to the service account that Tenable Identity Exposure uses.