[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 825
  • Last Modified:

Active directory objects to inherit its permissions form its parent. How to do an update to an entire ou.

Hi,

I have an Active Directory (2003 based) ou with more than 8000 opjects in it and some of the opjects are not set in their security section to inherit their permissions from the parent ou.

I do not want to change or remove extra permissions, but I would like to set the all the objects to inherit its permissions from the parent.

I think this should be done with a VB script. Can someone help will creating that script or powershell command that will return a list of users that are not set to inherit its permissions from the parent.

Thanks Peter
0
PeterSinger
Asked:
PeterSinger
2 Solutions
 
LauraEHunterMVPCommented:
A caveat - if any of the users in question are, or have ever been, members of a protected group such as Domain Admins, Administrators, Account Operators or Server Operators, any change you make to the inheritance settings on the account will be automatically rolled back by AD within 1 hour. This behavior is by design, and explained here: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx

If this is not the case, you can list and re-enable permissions inheritance using a combination of VBScript and dsacls; sample syntax can be found here: http://redmondmag.com/columns/print.asp?EditorialsID=1600
0
 
AkhaterCommented:
here is something for you right from
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23214970.html#a21062004


Param($DN = ([ADSI]"").distinguishedName)
Write-Host "Using: $DN"
$ds = new-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$dn","(objectcategory=user)")
$users = $ds.FindAll()
foreach($usr in $users)
{
    $user = $usr.GetDirectoryEntry()
    Write-Host "Processing User: $($user.sAMAccountName)"
    $user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
    $user.psbase.CommitChanges()
}

Open in new window

0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Tackle projects and never again get stuck behind a technical roadblock.
Join Now