Issue: You need to enable permission inheritance on all AD user accounts or a specific group of accounts.
Background: Enabling inheritance on AD accounts typically required one to check the “include inheritable permissions…” checkbox on the ‘Security Tab > Advanced’ screen in ADUC on every user account one at a time (see checkbox of doom). That’s a whole lot of clicking!
Solution: PowerShell can be used to enable permissions inheritance on a large group of AD user accounts.
1) Open a PowerShell prompt (Run as administrator) on a Domain Controller. Then perform the following PowerShell commands:
Note: you need to modify the -searchbase to match your AD domain and OU structure that contains your user accounts.
1) Open a PowerShell prompt (Run as administrator) on a Domain Controller. Then perform the following PowerShell commands:
Note: you need to modify the -searchbase to match your AD domain and OU structure that contains your user accounts.
Import-Module ActiveDirectory
$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “ou=companyusers,dc=enterpriseit,dc=co”
ForEach($user in $users)
{
# Binding the users to DS
$ou = [ADSI](“LDAP://” + $user)
$sec = $ou.psbase.objectSecurity
if ($sec.get_AreAccessRulesProtected())
{
$isProtected = $false ## allows inheritance
$preserveInheritance = $true ## preserver inhreited rules
$sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
$ou.psbase.commitchanges()
Write-Host “$user is now inherting permissions”;
}
else
{
Write-Host “$User Inheritable Permission already set”
}
}
what is this use for?
At times AD permissions will not apply successfully or completely if the user accounts involved do not have inheritance enabled.
Thanks from JNET 2000’s schema admins!
Great article! Still so relevant on 2021. Thanks for this.
You’re a lifesaver.. been trying to figure out permissions weren’t prorogating for 2 days now!
Many thanks! :-)
Thanks!
thank you sir it work
Great script! I only wanted to apply this to users in a particular group so I changed it up
Went from this:
$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “ou=companyusers,dc=enterpriseit,dc=co”
to this:
$users = Get-ADGroupMember -YOURGROUPHERE
Worked perfectly :)
Thank you.. :-)
Worked perfect!
Could you tell me how I could provide a specifc list of users in a CSV and have your script run against them?
Thanks so much!
Hi Tom, it would be a bit of a project to create the powershell scripting for that and isn’t something I can take on at the moment. If you do work this out please post so that others can benefit as well. Thanks
$csvfile = Import-Csv -Path “c:\temp\test.csv”
ForEach($line in $csvfile) {
Try {
$user = Get-ADUser $line.username -ErrorAction stop
} Catch {
Write-Host “Could not find $($line.username), skipping”
continue
}
# Binding the users to DS
$ou = [ADSI](“LDAP://” + $user)
$sec = $ou.psbase.objectSecurity
if ($sec.AreAccessRulesProtected) {
$isProtected = $false
## allows inheritance
$preserveInheritance = $true
## preserve inherited rules
$sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
$ou.psbase.commitchanges()
Write-Host “$user is now inheriting permissions”;
} else {
Write-Host “$User Inheritable Permission already set”
}
Get-ADUser $user | Set-ADObject -Clear AdminCount
}
CSVFile looks like:
UserName
JDoe
RWhite
BBlack
Thanks Tom! and nice work, appreciate you sharing your toils with the community!
Thank you Chris! That worked a treat, very useful article.
– and in response to a previous question the script does indeed recursively drill down into nested OU’s.
Also, the “Protected Group” issue is explained in detail here for anyone interested….
https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx#id0250041
Can you do this for the entire domain and not just the one OU
You could test removing the OU portion, for example: “ou=companyusers.”. However I’m not sure if the command will recursively drill into to all the folders and OU’s containing accounts or not. Do let me know your results.
Hi Guys,
I’m trying to include “inheritable permissions from this object’s” on one user, but I notice that I don’t have that option enabled in my 2012 dc. I have only “disable inheritance”… Maybe I should first enable something?!?!
Hi Mike, Windows 2012 UI has a different presentation of the information (UI change). If “Disable Inheritance” is not selected, then that means inheritance is “Enabled”. Feel free to post a screenshot for our listeners.
Hi Chris,
You’r right, I have inheritance enabled for the user but I still have issues. This user account in AD have activesync issues with folder sync (Exchange ActiveSync returned an HTTP 500 response) and resolution for this one is to enable inheritance for the user. It seems is already checked but I still have inheritance issues…
If that user is a member of ‘protected groups’, like domain admins, print operators, etc, you should remove them for a few days to make sure the inheritance is not reversed. See this article: Exchange inheritance – checkbox of doom
Also you may want to check the box to check the ‘restore defaults’ button, in rare cases this fixes issues related to mailbox security/inheritance. I’ve never had this cause any negative consequences, but you should evaluate per your environment. Of course with all this advice, make the best technical decision that makes sense for your situation.
Thank you for this! It did exactly what I needed! Really appreciate it!
Can this also be manipulated for computer accounts?
I haven’t attempted that, if you figure out how, please post how you did it, thanks!
Worked like a charm!! Life-saver, thanks!
Thanks a lot … Saved a lot of time
If any of you get an error that the “Directory object not found” it is because you might need to use: “CN” in place of “OU”
Hi Chris,
I am a little confused how to edit the script to match my infrastructure, specially this line
“ou=companyusers,dc=enterpriseit,dc=co”
Please could you guide me on how to find the appropriate entries for my domain.
Thanks
Richard
Hi Richard, in order to find your domain name, right click My Computer and click the Network Identification tab. Take note of the entire domain name. Say your domain name is awesomecompany.local, and your users are in an Organizational Unit called “Awesome Users”, your script line would be: “ou=Awesome Users,dc=awesomecompany,dc=local”
To see what organization unit your users are in, open AD Users and Computers and the Organization Unit will look like a folder in the folder hierarchy. If you have nested OU’s then your script line may be something like: “ou=Accounting,ou=Portland,dc=awesomecompany,dc=local”. In this example the top OU is Portland and the users are in a Sub-OU called “Accounting”.
Worked like charm…..Thanks a lot
This save me so much clicking!
Sweet….thanks for posting, saved me lots of clicking. You are the man!
Thanks Brian, appreciate the comment, means a lot!
Thank you for posting this straight forward solution. I was having an issue with Computer objects instead of User objects and simply swapping out “User” with “Computer” in the script worked like a charm.
Very quick and basic. Did exactly what I needed. Thanks for the help.
Thanks Jerry, it’s very rewarding to get comments like yours. Have a great weekend.
Works fine for me!!
Thanks
So useful ! Thank you for this great article