Solved

Re-instate AD OU Inheritance?

Posted on 2011-03-21
8
982 Views
Last Modified: 2012-06-27
Hi,

In my organization we have more than 1000 OU's in place. Most of the OU's dont have inheritance enabled.
I have the exact same issue as the poster here:
http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/41475/view/topic/Default.aspx

Could anyone tell me how that person managed to do this?

I have tried to figure out joeware and admod but i cant seem to find a way to do this.

0
Comment
Question by:Hal-itosis
  • 4
  • 3
8 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35181217
The quoted command is missing a space, that won't help:

adfind -default -f objectcategory=organizationalunit -sc aclnoinherit

Otherwise are you getting an error message? Or just 0 Objects returned?

Chris
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35181324
Sorry, maybe I was not clear in explaining.

The command listed works fine (I knew about the space) but that just lists the OU's that need tp have inheritance re-instated.

What command do I use to do this for any OU in the domain that does not have policy inheritance selected?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35181441

Just to be clear, are you talking about Group Policy Inheritance? Or ACL inheritance? The two are not the same and how we might deal with each is quite different.

And which version of Windows do we have available to make changes on? That'll impact the tools we can use.

Chris
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35182025
Yes, its ACL and not GPO and the Directory is Server 2003 Native. Mix of 2008 R2 and 2003 DC's
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 35182578
Great, I wanted to make sure.

Personally I'd go for PowerShell to set this back, we're going to have to use some kind of scripting language and it's far less messy than VbScript.

You don't need it installed on the server, although it will be under 2008 R2, I'd run it from your workstation. If you run XP and don't already have it, you can download it here:

http://support.microsoft.com/kb/968930

We may as well stick with adfind for the hard bit, then we'll take what we get from that and have PS change things for us. It's quite easy, honest.
./adfind.exe -default -f objectcategory=organizationalunit -sc aclnoinherit |
  Where-Object { $_ -Match '^dn:' } |
  ForEach-Object {
    $OU = [ADSI]"LDAP://$($_ -Replace '^dn:')"

    Write-Host "Resetting inheritance on $($OU.Get('distinguishedname'))"

    # $OU.PsBase.ObjectSecurity.SetAccessRuleProtection($False, $False)
    # $OU.CommitChanges()
  }

Open in new window

Copy and paste the snippet above into PowerShell, I'm assuming you have ADFind in the same directory.

This lets us test, it won't make any changes, only tell us about them. If you're happy it's targeting the right stuff remove the "#" character from the two lines starts $OU. That'll commit the change and enable inheritance for all OUs found by Joe's tool.

HTH

Chris
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35182791
That’s a thing of beauty right there Chris,

Worked like a champ!

Thanks so much and sorry for posting on so many forums :-)
I was getting desperate.

First time using PowerShell actually, must start using it a bit more/learn it.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35182818
Don't forget to thank Chris over on Activedir too.....may help if Chris is ever nominated for an MVP award :)
0
 
LVL 1

Author Comment

by:Hal-itosis
ID: 35182937
Done!

Thanks again, you saved me hours of clicks :-)
0

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now