[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1508
  • Last Modified:

Bulk modify users to "Include Inheritable Permissions from This Object's Parent"

In our previous environment in SBS 2003, every single user was configured to be a Power User. As a result, the "Include inheritable permissions from the object's parent" tickbox is unticked for most of the users in our organization.

We've recently switched over to Server 2012 R2 + Exchange 2010, and removed the Domain Power Users group membership, making everyone a regular user account.

I'm sure this has been asked lots of times before, but is there a way to bulk modify all of the users and tick the "Include Inheritable Permissions From This Object's Parent" tickbox on a one-time basis? Either in PowerShell, or Batch, or via some kind of supported GUI in Windows? Or some other way?

I want to avoid using third party active directory editing tools, only native Microsoft-supported tools.
1 Solution
VB ITSSpecialist ConsultantCommented:
Here's a PowerShell script you can use which will set it for all user accounts within an OU:
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=Users,OU=Company,DC=DOMAIN,DC=COM"
ForEach($User in $Users)
    # Bind users
    $OU = [ADSI](“LDAP://” + $User)
    $SecGroup = $OU.PSBase.ObjectSecurity
    if ($SecGroup.get_AreAccessRulesProtected())
        $isProtected = $false ## Allows inheritance
        $preserveInheritance = $true ## Preserves inheritance
        $SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
        Write-Host “$User inheritance has been set”;
        Write-Host “$User inheritance already set”

Open in new window

Make sure you fix the first line of the script and replace the bit after the -SearchBase switch with the correct path to the OU containing your user acounts.

Please use Admodify.net tool for setting Bulk users.


Frosty555Author Commented:
I made some minor modifications to the script, here's the end result:

Import-Module ActiveDirectory

# This script finds all AD Users in the specified OU, and ticks the "Inherit permissions from this object's parent" checkbox

$users = Get-ADUser -ldapfilter "(objectclass=user)" -searchbase "ou=sbsusers,ou=mybusiness,dc=mycompany,dc=com" | sort name
ForEach($user in $users){

    # Binding the users to DS
    $ou = [ADSI](“LDAP://” + $user)
    $sec = $ou.psbase.objectSecurity

    if ($sec.get_AreAccessRulesProtected())
        $isProtected = $false ## allows inheritance
        $preserveInheritance = $true ## preserver inhreited rules
        $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
        Write-Host “FIXED - $user”;


Open in new window


Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now