Solved

Bulk modify users to "Include Inheritable Permissions from This Object's Parent"

Posted on 2014-11-09
3
1,270 Views
Last Modified: 2014-11-10
In our previous environment in SBS 2003, every single user was configured to be a Power User. As a result, the "Include inheritable permissions from the object's parent" tickbox is unticked for most of the users in our organization.

We've recently switched over to Server 2012 R2 + Exchange 2010, and removed the Domain Power Users group membership, making everyone a regular user account.

I'm sure this has been asked lots of times before, but is there a way to bulk modify all of the users and tick the "Include Inheritable Permissions From This Object's Parent" tickbox on a one-time basis? Either in PowerShell, or Batch, or via some kind of supported GUI in Windows? Or some other way?

I want to avoid using third party active directory editing tools, only native Microsoft-supported tools.
0
Comment
Question by:Frosty555
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40431906
Here's a PowerShell script you can use which will set it for all user accounts within an OU:
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=Users,OU=Company,DC=DOMAIN,DC=COM"
ForEach($User in $Users)
{
    # Bind users
    $OU = [ADSI](“LDAP://” + $User)
    $SecGroup = $OU.PSBase.ObjectSecurity
 
    if ($SecGroup.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## Allows inheritance
        $preserveInheritance = $true ## Preserves inheritance
        $SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $OU.PSBase.CommitChanges()
        Write-Host “$User inheritance has been set”;
    }
    else
    {
        Write-Host “$User inheritance already set”
    }
}

Open in new window

Make sure you fix the first line of the script and replace the bit after the -SearchBase switch with the correct path to the OU containing your user acounts.
0
 
LVL 9

Expert Comment

by:ash007
ID: 40432379
Hi,

Please use Admodify.net tool for setting Bulk users.

Refer:
http://technet.microsoft.com/en-us/library/aa996216%28v=exchg.65%29.aspx 


Thanks,
Ash
0
 
LVL 31

Author Closing Comment

by:Frosty555
ID: 40433159
I made some minor modifications to the script, here's the end result:

Import-Module ActiveDirectory

#
# This script finds all AD Users in the specified OU, and ticks the "Inherit permissions from this object's parent" checkbox
#

$users = Get-ADUser -ldapfilter "(objectclass=user)" -searchbase "ou=sbsusers,ou=mybusiness,dc=mycompany,dc=com" | sort name
ForEach($user in $users){

    # Binding the users to DS
    $ou = [ADSI](“LDAP://” + $user)
    $sec = $ou.psbase.objectSecurity

    if ($sec.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## allows inheritance
        $preserveInheritance = $true ## preserver inhreited rules
        $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $ou.psbase.commitchanges()
        Write-Host “FIXED - $user”;
    }


}

Open in new window

0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question