I was recently involved in a project to help secure a School’s Active Directory environment. After sitting down and planning what we wanted to achieve in terms of account security we went to work. After setting up all of the IT based security groups and assigning and delegating the appropriate rights and permissions we found that somethings wern’t working as they should. The permissions gave us the rights to do what we needed on the Student user objects but not on the staff. After taking a quick look we found that the majority of Staff didn’t have their inherit permissions from parent ticked, which prevented the delegation from flowing through to these user objects.
Looking at PowerShell there are Get-ADUser and Set-ADUser which allow us to get and set certain properties on user objects but still didn’t allow us to set inherit rights on objects. I then happened to stumble upon a management pack of PowerShell scripts from Quest Software which are available from this link. The pack contains some useful scripts which extend on the original Microsoft provided scripts. The pack also contains a PowerShell cmdlet dealing specifically with Object Security which is what we are after. So I went ahead and downloaded the 64 bit version to one of the domain controllers (after testing it out myself) and worked out we needed to filter for users who didn’t have the inherit permissions enable. The following is a snippet which will list all of the users in your AD environment with inherit permissions disabled (watch the word wrap):
Get-QADUser -SizeLimit 0 | Where-Object {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected}
If you are after a particular Organizational Unit simply replace -SizeLimit 0 with -SearchRoot ‘Distinguished name of OU’.
Now we are able to find the users, but what about setting the inherit right. Using the ObjectSecurity cmdlet we can now set the Inheritance flag. So the following is the complete command to run on l (again, watch the word wrap):
get-QADUser -SearchRoot 'Distinguished Name of OU' | Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance
After running that cmdlet on the offending User Objects, we were then able to successfully do what the security groups allowed us to do. I still need to go back and check out what else the pack from Quest can do as I looked quite interesting so I will be sure to blog about my findings.
Hurrah, that’s what I was looking for, thanks.