enable inheritance on all AD user accounts

Issue:  You need to enable permission inheritance on all AD user accounts or a specific group of accounts.

Background: Enabling inheritance on AD accounts typically required one to check the “include inheritable permissions…” checkbox on the ‘Security Tab > Advanced’ screen in ADUC on every user account one at a time (see checkbox of doom).  That’s a whole lot of clicking!

include inheritable permissions from this object's parent

Solution: PowerShell can be used to enable permissions inheritance on a large group of AD user accounts.
1) Open a PowerShell prompt (Run as administrator) on a Domain Controller. Then perform the following PowerShell commands:
Note: you need to modify the -searchbase to match your AD domain and OU structure that contains your user accounts.
Import-Module ActiveDirectory
 
$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “ou=companyusers,dc=enterpriseit,dc=co”
ForEach($user in $users)
{
    # Binding the users to DS
    $ou = [ADSI](“LDAP://” + $user)
    $sec = $ou.psbase.objectSecurity
 
    if ($sec.get_AreAccessRulesProtected())
    {
        $isProtected = $false ## allows inheritance
        $preserveInheritance = $true ## preserver inhreited rules
        $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $ou.psbase.commitchanges()
        Write-Host “$user is now inherting permissions”;
    }
    else
    {
        Write-Host “$User Inheritable Permission already set”
    }
}

38 thoughts on “enable inheritance on all AD user accounts

    1. Chris Post author

      At times AD permissions will not apply successfully or completely if the user accounts involved do not have inheritance enabled.

      Reply
  1. mikkamous

    Great script! I only wanted to apply this to users in a particular group so I changed it up

    Went from this:
    $users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “ou=companyusers,dc=enterpriseit,dc=co”
    to this:
    $users = Get-ADGroupMember -YOURGROUPHERE

    Worked perfectly :)

    Reply
  2. Tom

    Could you tell me how I could provide a specifc list of users in a CSV and have your script run against them?

    Thanks so much!

    Reply
    1. Chris Harris Post author

      Hi Tom, it would be a bit of a project to create the powershell scripting for that and isn’t something I can take on at the moment. If you do work this out please post so that others can benefit as well. Thanks

      Reply
      1. Tom

        $csvfile = Import-Csv -Path “c:\temp\test.csv”

        ForEach($line in $csvfile) {

        Try {
        $user = Get-ADUser $line.username -ErrorAction stop
        } Catch {
        Write-Host “Could not find $($line.username), skipping”
        continue
        }

        # Binding the users to DS

        $ou = [ADSI](“LDAP://” + $user)
        $sec = $ou.psbase.objectSecurity

        if ($sec.AreAccessRulesProtected) {
        $isProtected = $false
        ## allows inheritance
        $preserveInheritance = $true
        ## preserve inherited rules

        $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $ou.psbase.commitchanges()

        Write-Host “$user is now inheriting permissions”;

        } else {

        Write-Host “$User Inheritable Permission already set”

        }
        Get-ADUser $user | Set-ADObject -Clear AdminCount

        }

        CSVFile looks like:
        UserName
        JDoe
        RWhite
        BBlack

        Reply
    1. Chris Harris Post author

      You could test removing the OU portion, for example: “ou=companyusers.”. However I’m not sure if the command will recursively drill into to all the folders and OU’s containing accounts or not. Do let me know your results.

      Reply
  3. mike

    Hi Guys,
    I’m trying to include “inheritable permissions from this object’s” on one user, but I notice that I don’t have that option enabled in my 2012 dc. I have only “disable inheritance”… Maybe I should first enable something?!?!

    Reply
    1. Chris Harris Post author

      Hi Mike, Windows 2012 UI has a different presentation of the information (UI change). If “Disable Inheritance” is not selected, then that means inheritance is “Enabled”. Feel free to post a screenshot for our listeners.

      Reply
      1. mike

        Hi Chris,
        You’r right, I have inheritance enabled for the user but I still have issues. This user account in AD have activesync issues with folder sync (Exchange ActiveSync returned an HTTP 500 response) and resolution for this one is to enable inheritance for the user. It seems is already checked but I still have inheritance issues…

        Reply
        1. Chris Harris Post author

          If that user is a member of ‘protected groups’, like domain admins, print operators, etc, you should remove them for a few days to make sure the inheritance is not reversed. See this article: Exchange inheritance – checkbox of doom

          Also you may want to check the box to check the ‘restore defaults’ button, in rare cases this fixes issues related to mailbox security/inheritance. I’ve never had this cause any negative consequences, but you should evaluate per your environment. Of course with all this advice, make the best technical decision that makes sense for your situation.

          Reply
  4. mike

    If any of you get an error that the “Directory object not found” it is because you might need to use: “CN” in place of “OU”

    Reply
  5. Richard

    Hi Chris,

    I am a little confused how to edit the script to match my infrastructure, specially this line

    “ou=companyusers,dc=enterpriseit,dc=co”

    Please could you guide me on how to find the appropriate entries for my domain.

    Thanks

    Richard

    Reply
    1. Chris Harris Post author

      Hi Richard, in order to find your domain name, right click My Computer and click the Network Identification tab. Take note of the entire domain name. Say your domain name is awesomecompany.local, and your users are in an Organizational Unit called “Awesome Users”, your script line would be: “ou=Awesome Users,dc=awesomecompany,dc=local”
      To see what organization unit your users are in, open AD Users and Computers and the Organization Unit will look like a folder in the folder hierarchy. If you have nested OU’s then your script line may be something like: “ou=Accounting,ou=Portland,dc=awesomecompany,dc=local”. In this example the top OU is Portland and the users are in a Sub-OU called “Accounting”.

      Reply
  6. Julia

    Thank you for posting this straight forward solution. I was having an issue with Computer objects instead of User objects and simply swapping out “User” with “Computer” in the script worked like a charm.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.