Exchange inheritance

We are running an exchange upgrade project (exchange 2007 - Exchange 2012), 1000 users in 4 different countries, single domain, single forest.
I need assistance to find out who’s account in AD is not inheriting permissions from the parent, so it will be good to find out permissions of accounts with Inheritance enabled, vs Inheritance disabled to work out whether the differences have any impact in our environment. So I guess a power shell script can report/output this kind of information?


Thanks.
LVL 8
LeoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello ThereSystem AdministratorCommented:
Use Powershell: Get-MailboxPermission HERE
You can export permissions from users to .csv and filter out which permissions arent inherited. HERE

For example, to filter out all of the SELF permissions and the inherited permissions we can run this command.
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}

Open in new window

More HERE
LeoAuthor Commented:
Thanks, ideal would be to find out  Inheritance enabled, vs Inheritance disabled for all users.
Sajen JoseCommented:
$users = Get-ADuser -Filter * -Properties nTSecurityDescriptor

foreach($user in $users)
{
	If(!($user.nTSecurityDescriptor.AreAccessRulesProtected))
	{
		Write-Host $user.Name " has inheritance disabled"
	}
	else
	{
		Write-Host $user.Name " has inheritance enabled"
	}
}

Open in new window

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LeoAuthor Commented:
Thanks, is it powershell script? how do you get output on CSV file?
Sajen JoseCommented:
Hi Leo,

Yes it is a PowerShell script, please find the modified script which will give you the csv output. The output file should be present in the folder from where you are executing this powershell script.

$users = Get-ADuser -Filter * -Properties nTSecurityDescriptor

$outputObject = @()
foreach($user in $users)
{
	$lineObj = New-Object System.Object;
 	$lineObj | Add-Member -MemberType NoteProperty -Name "UserName" -Value $user.Name
 	$lineObj | Add-Member -MemberType NoteProperty -Name "Inheritance Enabled" -Value $user.nTSecurityDescriptor.AreAccessRulesProtected
	$outputObject += $lineObj
}

$outputObject | Export-Csv -NoTypeInformation -Path "OutputInheritance.csv"

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sajen JoseCommented:
Note: The output CSV will have Inheritance Enabled as True / False, if you want it to be something else (like enabled or disabled) you can add an if condition within the foreach loop and set the value accordingly.
LeoAuthor Commented:
@Hello there: your script only output admin users, no one else.
@Sajen Jose: your script gives the following error;
The term 'get-aduser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was i
ncluded, verify that the path is correct and try again.
At line:1 char:20
+ $users = get-aduser <<<<  -filter * -properties ntsecuritydescription
    + CategoryInfo          : ObjectNotFound: (get-aduser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Hello ThereSystem AdministratorCommented:
Yes, it was an example as I said.
I provided a few links to study. You need to study them.
Sajen JoseCommented:
Hey Leo,

You need to have the Active Directory Modules loaded in Powershell before executing the script. The Get-ADUser cmdlet is present in the Active Directory Module.

Which OS are you running this script on?
Sajen JoseCommented:
LeoAuthor Commented:
@Sajen jose: i fixed the errors now its working.
How do i enable inheritance?
Sajen JoseCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.