[Last Call] Learn how to a build a cloud-first strategyRegister Now


Many user in Active Directory OU's do not inherit permissions

Posted on 2009-04-20
Medium Priority
Last Modified: 2013-12-05

I have many users OU's that do not have inherit checked.
We are working with delegation this is getting very tedious.

Is there any way to make a whole users OU set to inherit?
Question by:neoptoent
LVL 18

Expert Comment

ID: 24187612
Have you tried right click on the OU and select properties, then click on the Advanced button and make sure the "Allow inheritable permissions from the parent to porpagate to this object and all child objiects......"? To have the same permission propgate to the OU or objects under this OU, you would just click on the Edit button and select the option from "Apply On to.." where you can selet this object only or including child object etc.
LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 24187794
You may want to give the script mentioned in this article a shot
from the coments it also looks like he updated it to take care of some errors.  updated version is here  
http://www.chriswolf.com/ downloads/showblocked.txt
LVL 30

Expert Comment

ID: 24188486
If the users in question are, or have ever been, members of a protected group such as Domain Admins, Server Operators or Account Operators, the behavior you are describing is by design.

See the following for a description of the problem and some potential workarounds: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx

Author Comment

ID: 24193692
So I can run the script and see which users are blocked, but I would stil need to go and manully click each to inherit.
Is there any way to do multiple at once?

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question