Solved

Re-instate AD OU Inheritance?

Posted on 2011-03-21
8
985 Views
Last Modified: 2012-06-27
Hi,

In my organization we have more than 1000 OU's in place. Most of the OU's dont have inheritance enabled.
I have the exact same issue as the poster here:
http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/41475/view/topic/Default.aspx

Could anyone tell me how that person managed to do this?

I have tried to figure out joeware and admod but i cant seem to find a way to do this.

0
Comment
Question by:Hal-itosis
  • 4
  • 3
8 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35181217
The quoted command is missing a space, that won't help:

adfind -default -f objectcategory=organizationalunit -sc aclnoinherit

Otherwise are you getting an error message? Or just 0 Objects returned?

Chris
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35181324
Sorry, maybe I was not clear in explaining.

The command listed works fine (I knew about the space) but that just lists the OU's that need tp have inheritance re-instated.

What command do I use to do this for any OU in the domain that does not have policy inheritance selected?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35181441

Just to be clear, are you talking about Group Policy Inheritance? Or ACL inheritance? The two are not the same and how we might deal with each is quite different.

And which version of Windows do we have available to make changes on? That'll impact the tools we can use.

Chris
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Author Comment

by:Hal-itosis
ID: 35182025
Yes, its ACL and not GPO and the Directory is Server 2003 Native. Mix of 2008 R2 and 2003 DC's
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 35182578
Great, I wanted to make sure.

Personally I'd go for PowerShell to set this back, we're going to have to use some kind of scripting language and it's far less messy than VbScript.

You don't need it installed on the server, although it will be under 2008 R2, I'd run it from your workstation. If you run XP and don't already have it, you can download it here:

http://support.microsoft.com/kb/968930

We may as well stick with adfind for the hard bit, then we'll take what we get from that and have PS change things for us. It's quite easy, honest.
./adfind.exe -default -f objectcategory=organizationalunit -sc aclnoinherit |
  Where-Object { $_ -Match '^dn:' } |
  ForEach-Object {
    $OU = [ADSI]"LDAP://$($_ -Replace '^dn:')"

    Write-Host "Resetting inheritance on $($OU.Get('distinguishedname'))"

    # $OU.PsBase.ObjectSecurity.SetAccessRuleProtection($False, $False)
    # $OU.CommitChanges()
  }

Open in new window

Copy and paste the snippet above into PowerShell, I'm assuming you have ADFind in the same directory.

This lets us test, it won't make any changes, only tell us about them. If you're happy it's targeting the right stuff remove the "#" character from the two lines starts $OU. That'll commit the change and enable inheritance for all OUs found by Joe's tool.

HTH

Chris
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35182791
That’s a thing of beauty right there Chris,

Worked like a champ!

Thanks so much and sorry for posting on so many forums :-)
I was getting desperate.

First time using PowerShell actually, must start using it a bit more/learn it.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35182818
Don't forget to thank Chris over on Activedir too.....may help if Chris is ever nominated for an MVP award :)
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35182937
Done!

Thanks again, you saved me hours of clicks :-)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Computer account cleanup 90 128
add group policy for windows 10 users 3 45
Okta automated O365 provisioning for new accounts 4 19
AD issue after VM restore 5 12
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question