Bulk modify users to "Include Inheritable Permissions from This Object's Parent"

In our previous environment in SBS 2003, every single user was configured to be a Power User. As a result, the "Include inheritable permissions from the object's parent" tickbox is unticked for most of the users in our organization.

We've recently switched over to Server 2012 R2 + Exchange 2010, and removed the Domain Power Users group membership, making everyone a regular user account.

I'm sure this has been asked lots of times before, but is there a way to bulk modify all of the users and tick the "Include Inheritable Permissions From This Object's Parent" tickbox on a one-time basis? Either in PowerShell, or Batch, or via some kind of supported GUI in Windows? Or some other way?

I want to avoid using third party active directory editing tools, only native Microsoft-supported tools.
LVL 31
Frosty555Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VB ITSSpecialist ConsultantCommented:
Here's a PowerShell script you can use which will set it for all user accounts within an OU:
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=Users,OU=Company,DC=DOMAIN,DC=COM"
ForEach($User in $Users)
{
    # Bind users
    $OU = [ADSI](“LDAP://” + $User)
    $SecGroup = $OU.PSBase.ObjectSecurity
 
    if ($SecGroup.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## Allows inheritance
        $preserveInheritance = $true ## Preserves inheritance
        $SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $OU.PSBase.CommitChanges()
        Write-Host “$User inheritance has been set”;
    }
    else
    {
        Write-Host “$User inheritance already set”
    }
}

Open in new window

Make sure you fix the first line of the script and replace the bit after the -SearchBase switch with the correct path to the OU containing your user acounts.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ash007Commented:
Hi,

Please use Admodify.net tool for setting Bulk users.

Refer:
http://technet.microsoft.com/en-us/library/aa996216%28v=exchg.65%29.aspx 


Thanks,
Ash
0
Frosty555Author Commented:
I made some minor modifications to the script, here's the end result:

Import-Module ActiveDirectory

#
# This script finds all AD Users in the specified OU, and ticks the "Inherit permissions from this object's parent" checkbox
#

$users = Get-ADUser -ldapfilter "(objectclass=user)" -searchbase "ou=sbsusers,ou=mybusiness,dc=mycompany,dc=com" | sort name
ForEach($user in $users){

    # Binding the users to DS
    $ou = [ADSI](“LDAP://” + $user)
    $sec = $ou.psbase.objectSecurity

    if ($sec.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## allows inheritance
        $preserveInheritance = $true ## preserver inhreited rules
        $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $ou.psbase.commitchanges()
        Write-Host “FIXED - $user”;
    }


}

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.