Hello,
As especified in the official article, you should perform the next actions to enforce the measures:
After installing CVE-2021-42291, characters 28 and 29 of the dSHeuristics attribute control the behavior of the update. The dSHeuristics attribute exists within each Active Directory forest and contains settings for the entire forest. The dSHeuristics attribute is an attribute of the "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,<Domain>" object.
See for more information: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 and https://learn.microsoft.com/en-us/windows/win32/adschema/a-dsheuristics
Then you need to modify the Character 28 in the chain with:
1: Enforcement mode is enabled. This prevents users without domain administrator rights from setting the securityDescriptor or other attributes to values that might grant excessive permissions on computer-derived AD objects. An event is also logged when this occurs.
And the Character 29:
1: Enforcement mode is enabled. This prevents users without domain administrator rights from setting the securityDescriptor to values that might grant excessive permissions on existing computer-derived AD objects. An event is also logged when this occurs.
In Summary, the characters to modify should be:
10th char: Must be set to 1 if the dSHeuristics attribute is at least 10 characters
20th char: Must be set to 2 if the dSHeuristics attribute is at least 20 characters
28th char: Must be set to 1 to enable Enforcement mode for Additional AuthZ verification
29th char: Must be set to 1 to enable Enforcement mode for temporary Implicit Ownership removal
--If the reply is helpful, please Upvote and Accept as answer--