A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

Applying inherit rights (inheritable) for permissions to a large number of Active Directory objects

,

I was recently involved in a project to help secure a School’s Active Directory environment.  After sitting down and planning what we wanted to achieve in terms of account security we went to work.  After setting up all of the IT based security groups and assigning and delegating the appropriate rights and permissions we found that somethings wern’t working as they should.  The permissions gave us the rights to do what we needed on the Student user objects but not on the staff.  After taking a quick look we found that the majority of Staff didn’t have their inherit permissions from parent ticked, which prevented the delegation from flowing through to these user objects.

Looking at PowerShell there are Get-ADUser and Set-ADUser which allow us to get and set certain properties on user objects but still didn’t allow us to set inherit rights on objects.  I then happened to stumble upon a management pack of PowerShell scripts from Quest Software which are available from this link. The pack contains some useful scripts which extend on the original Microsoft provided scripts.  The pack also contains a PowerShell cmdlet dealing specifically with Object Security which is what we are after. So I went ahead and downloaded the 64 bit version to one of the domain controllers (after testing it out myself) and worked out we needed to filter for users who didn’t have the inherit permissions enable. The following is a snippet which will list all of the users in your AD environment with inherit permissions disabled (watch the word wrap):

Get-QADUser -SizeLimit 0 | Where-Object {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected}

If you are after a particular Organizational Unit simply replace -SizeLimit 0 with -SearchRoot ‘Distinguished name of OU’.

Now we are able to find the users, but what about setting the inherit right.  Using the ObjectSecurity cmdlet we can now set the Inheritance flag. So the following is the complete command to run on l (again, watch the word wrap):

Get-QADUser -SearchRoot 'Distinguished Name of OU' | Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance

After running that cmdlet on the offending User Objects, we were then able to successfully do what the security groups allowed us to do. I still need to go back and check out what else the pack from Quest can do as I looked quite interesting so I will be sure to blog about my findings.

One response to “Applying inherit rights (inheritable) for permissions to a large number of Active Directory objects”

  1. microx Avatar
    microx

    Hurrah, that’s what I was looking for, thanks.

    Reply

Leave a Reply

More Posts

Reset the Default Domain and Domain Controller Group Policy Objects to their out of box state

So, I recently inherited a small client with SBS 2011 and their previous IT admin only ever used the Default Domain Policy to apply computer and users settings (such as mapped drives and printers). Microsoft has quite a strong recommendation of best practice for the two policies which goes along the lines of; So I […]

Solving the FIM (Forefront Identity Manager 2010 R2) FIMService start timeout (Portal) and getting it to Start

We were recently making changes to our FIM environment where our Forefront Identity Manager boxes required restarts.  With FIM we’re always making changes in our Development kit before moving into production (which is something everyone should try do).  We quickly found that we couldn’t get back into the FIM portal and taking a quick look […]

Get-MessageTackingLog cmdlet for Exchange 2010 Returns Cannot process argument transformation on parameter ‘Start’. Cannot convert value to type “System.DateTime” because String was not recognized as a valid DateTime.

Recently, I was conducting some investigative work around mail delivery for a client.  PowerShell cmdlets for Exchange are awesome and give us as administrators some real power in trying to figure out what is wrong.  Some things in PowerShell though don’t take into account the regional language settings of the machine you’re working on.  One […]