Solved

Bulk modify users to "Include Inheritable Permissions from This Object's Parent"

Posted on 2014-11-09
3
1,009 Views
Last Modified: 2014-11-10
In our previous environment in SBS 2003, every single user was configured to be a Power User. As a result, the "Include inheritable permissions from the object's parent" tickbox is unticked for most of the users in our organization.

We've recently switched over to Server 2012 R2 + Exchange 2010, and removed the Domain Power Users group membership, making everyone a regular user account.

I'm sure this has been asked lots of times before, but is there a way to bulk modify all of the users and tick the "Include Inheritable Permissions From This Object's Parent" tickbox on a one-time basis? Either in PowerShell, or Batch, or via some kind of supported GUI in Windows? Or some other way?

I want to avoid using third party active directory editing tools, only native Microsoft-supported tools.
0
Comment
Question by:Frosty555
3 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40431906
Here's a PowerShell script you can use which will set it for all user accounts within an OU:
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=Users,OU=Company,DC=DOMAIN,DC=COM"
ForEach($User in $Users)
{
    # Bind users
    $OU = [ADSI](“LDAP://” + $User)
    $SecGroup = $OU.PSBase.ObjectSecurity
 
    if ($SecGroup.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## Allows inheritance
        $preserveInheritance = $true ## Preserves inheritance
        $SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $OU.PSBase.CommitChanges()
        Write-Host “$User inheritance has been set”;
    }
    else
    {
        Write-Host “$User inheritance already set”
    }
}

Open in new window

Make sure you fix the first line of the script and replace the bit after the -SearchBase switch with the correct path to the OU containing your user acounts.
0
 
LVL 9

Expert Comment

by:ash007
ID: 40432379
Hi,

Please use Admodify.net tool for setting Bulk users.

Refer:
http://technet.microsoft.com/en-us/library/aa996216%28v=exchg.65%29.aspx


Thanks,
Ash
0
 
LVL 31

Author Closing Comment

by:Frosty555
ID: 40433159
I made some minor modifications to the script, here's the end result:

Import-Module ActiveDirectory

#
# This script finds all AD Users in the specified OU, and ticks the "Inherit permissions from this object's parent" checkbox
#

$users = Get-ADUser -ldapfilter "(objectclass=user)" -searchbase "ou=sbsusers,ou=mybusiness,dc=mycompany,dc=com" | sort name
ForEach($user in $users){

    # Binding the users to DS
    $ou = [ADSI](“LDAP://” + $user)
    $sec = $ou.psbase.objectSecurity

    if ($sec.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## allows inheritance
        $preserveInheritance = $true ## preserver inhreited rules
        $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $ou.psbase.commitchanges()
        Write-Host “FIXED - $user”;
    }


}

Open in new window

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now