Avatar of Frosty555
Frosty555
Flag for Canada asked on

Bulk modify users to "Include Inheritable Permissions from This Object's Parent"

In our previous environment in SBS 2003, every single user was configured to be a Power User. As a result, the "Include inheritable permissions from the object's parent" tickbox is unticked for most of the users in our organization.

We've recently switched over to Server 2012 R2 + Exchange 2010, and removed the Domain Power Users group membership, making everyone a regular user account.

I'm sure this has been asked lots of times before, but is there a way to bulk modify all of the users and tick the "Include Inheritable Permissions From This Object's Parent" tickbox on a one-time basis? Either in PowerShell, or Batch, or via some kind of supported GUI in Windows? Or some other way?

I want to avoid using third party active directory editing tools, only native Microsoft-supported tools.
Active DirectoryExchangeWindows Server 2012

Avatar of undefined
Last Comment
Frosty555

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
VB ITS

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ash007

Hi,

Please use Admodify.net tool for setting Bulk users.

Refer:
http://technet.microsoft.com/en-us/library/aa996216%28v=exchg.65%29.aspx 


Thanks,
Ash
Frosty555

ASKER
I made some minor modifications to the script, here's the end result:

Import-Module ActiveDirectory

#
# This script finds all AD Users in the specified OU, and ticks the "Inherit permissions from this object's parent" checkbox
#

$users = Get-ADUser -ldapfilter "(objectclass=user)" -searchbase "ou=sbsusers,ou=mybusiness,dc=mycompany,dc=com" | sort name
ForEach($user in $users){

    # Binding the users to DS
    $ou = [ADSI](“LDAP://” + $user)
    $sec = $ou.psbase.objectSecurity

    if ($sec.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## allows inheritance
        $preserveInheritance = $true ## preserver inhreited rules
        $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $ou.psbase.commitchanges()
        Write-Host “FIXED - $user”;
    }


}

Open in new window

Your help has saved me hundreds of hours of internet surfing.
fblack61