Issue: You need to enable permission inheritance on all AD user accounts or a specific group of accounts.
Background: Enabling inheritance on AD accounts typically required one to check the “include inheritable permissions…” checkbox on the ‘Security Tab > Advanced’ screen in ADUC on every user account one at a time (see checkbox of doom). That’s a whole lot of clicking!
Solution: PowerShell can be used to enable permissions inheritance on a large group of AD user accounts.
1) Open a PowerShell prompt (Run as administrator) on a Domain Controller. Then perform the following PowerShell commands:
Note: you need to modify the -searchbase to match your AD domain and OU structure that contains your user accounts.
$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “ou=companyusers,dc=enterpriseit,dc=co”
ForEach($user in $users)
# Binding the users to DS
$ou = [ADSI](“LDAP://” + $user)
$sec = $ou.psbase.objectSecurity
$isProtected = $false ## allows inheritance
$preserveInheritance = $true ## preserver inhreited rules
Write-Host “$user is now inherting permissions”;
Write-Host “$User Inheritable Permission already set”