You went through the process of delegating service account permissions to your Defender service account so that you could remove it from the Domain Admins group, however it does not work.
The "Include inheritable permissions from this object's parent" was not checked. This is located in the Advanced Security Settings in the user's properties in ADUC (the user you are trying to log in with):
- right-click the user account, choose "Properties", select the "Security" tab then click the "Advanced" button.
In the Advanced Security Settings dialog on the "Permissions" tab check "Include inheritable permissions from this object's parent" and then on the "Effective Permissions" tab select the Defender service account to confirm the permissions are applied.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center