?
Solved

Re-instate AD OU Inheritance?

Posted on 2011-03-21
8
Medium Priority
?
990 Views
Last Modified: 2012-06-27
Hi,

In my organization we have more than 1000 OU's in place. Most of the OU's dont have inheritance enabled.
I have the exact same issue as the poster here:
http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/41475/view/topic/Default.aspx

Could anyone tell me how that person managed to do this?

I have tried to figure out joeware and admod but i cant seem to find a way to do this.

0
Comment
Question by:Hal-itosis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35181217
The quoted command is missing a space, that won't help:

adfind -default -f objectcategory=organizationalunit -sc aclnoinherit

Otherwise are you getting an error message? Or just 0 Objects returned?

Chris
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35181324
Sorry, maybe I was not clear in explaining.

The command listed works fine (I knew about the space) but that just lists the OU's that need tp have inheritance re-instated.

What command do I use to do this for any OU in the domain that does not have policy inheritance selected?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35181441

Just to be clear, are you talking about Group Policy Inheritance? Or ACL inheritance? The two are not the same and how we might deal with each is quite different.

And which version of Windows do we have available to make changes on? That'll impact the tools we can use.

Chris
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 1

Author Comment

by:Hal-itosis
ID: 35182025
Yes, its ACL and not GPO and the Directory is Server 2003 Native. Mix of 2008 R2 and 2003 DC's
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 35182578
Great, I wanted to make sure.

Personally I'd go for PowerShell to set this back, we're going to have to use some kind of scripting language and it's far less messy than VbScript.

You don't need it installed on the server, although it will be under 2008 R2, I'd run it from your workstation. If you run XP and don't already have it, you can download it here:

http://support.microsoft.com/kb/968930

We may as well stick with adfind for the hard bit, then we'll take what we get from that and have PS change things for us. It's quite easy, honest.
./adfind.exe -default -f objectcategory=organizationalunit -sc aclnoinherit |
  Where-Object { $_ -Match '^dn:' } |
  ForEach-Object {
    $OU = [ADSI]"LDAP://$($_ -Replace '^dn:')"

    Write-Host "Resetting inheritance on $($OU.Get('distinguishedname'))"

    # $OU.PsBase.ObjectSecurity.SetAccessRuleProtection($False, $False)
    # $OU.CommitChanges()
  }

Open in new window

Copy and paste the snippet above into PowerShell, I'm assuming you have ADFind in the same directory.

This lets us test, it won't make any changes, only tell us about them. If you're happy it's targeting the right stuff remove the "#" character from the two lines starts $OU. That'll commit the change and enable inheritance for all OUs found by Joe's tool.

HTH

Chris
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35182791
That’s a thing of beauty right there Chris,

Worked like a champ!

Thanks so much and sorry for posting on so many forums :-)
I was getting desperate.

First time using PowerShell actually, must start using it a bit more/learn it.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35182818
Don't forget to thank Chris over on Activedir too.....may help if Chris is ever nominated for an MVP award :)
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35182937
Done!

Thanks again, you saved me hours of clicks :-)
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question