How to query for all objects in AD which do NOT have allow inheritable permissions enabled

How can I write an LDAP query for all objects in Active Directory that do NOT have "Allow inheritable permissions from the parent to propagate to this object.." enabled. If not possible in an LDAP query is there some alternate method to produce a report of all these objects other than manually checking each of them?
bccopsAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

This works, but does take a long time to run.

Is that what you need? The output format will almost certainly need adjusting, what would you like to see there?

Chris

Const SE_DACL_PROTECTED = 4096
Const ADS_SCOPE_SUBTREE = 2
 
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
 
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
 
Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT distinguishedName " &_
	"FROM 'LDAP://" & objRootDSE.Get("defaultNamingContext") &_
	"' WHERE objectClass='user'"
Set objRootDSE = Nothing
 
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
 
While Not objRecordSet.EOF
 
	Set objADObject = GetObject("LDAP://" & objRecordSet.Fields("distinguishedName"))
	Set objSD = objADObject.Get("nTSecurityDescriptor")
	
	If objSD.Control And SE_DACL_PROTECTED Then
		WScript.Echo objRecordSet.Fields("distinguishedName")
		WScript.Echo "Inheritance Not Enabled"
	End If
	objRecordSet.MoveNext
WEnd
 
Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing

Open in new window

0
 
bccopsAuthor Commented:
This looks like it's what I need -- will test the script soon and report results.
0
 
Chris DentPowerShell DeveloperCommented:

Cool, yell if you need any code changes.

Chris
0
 
bccopsAuthor Commented:
This is precisely what I needed.

Thank you
0
All Courses

From novice to tech pro — start learning today.