locked
Active Directory & Powershell RRS feed

  • Question

  • Hi <o:p></o:p>

    I've been
    using DSACL\get-acl\set-acl to set certain security permissions on AD Security
    Groups. Is there a PowerShell command to force objects in an OU to only use inherited
    security from the OU's.<o:p></o:p>

    The problem
    I have is on a large number of Security Groups certain ones have had other
    users or groups added into the security. I'm trying to standardise the
    permissions on these.<o:p></o:p>

    inheritance
    is working but it's the bespoke additions I'm trying to get rid of<o:p></o:p>

    Cheers<o:p></o:p>


    
    Friday, January 16, 2015 2:36 PM

Answers

All replies

  • You are posting in the wrong forum. Post in the Directory Services Forum.

    If a user or grroup is set as mmanager of a grou then their id will be added to the group objects security.  If you don't waant them to manage the group then remove the group/user from the manager setting. This will also update the security descriptor.  The base security on objects should not be altered.  Use the Delegation Wizard to check the security but don't change anything.

    If someone has been directly editing the DACL you might have a bigger problem.

    AD security does not work like file security.


    ¯\_(ツ)_/¯

    Friday, January 16, 2015 4:08 PM
  • I wrote a script for this a while back:

    Windows IT Pro: View or Remove Active Directory Delegated Permissions

    It is modeled after the dsrevoke.exe utility which has some limitations (as noted in the article).


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by Bill_Stewart Monday, January 19, 2015 3:18 PM
    • Marked as answer by Bill_Stewart Wednesday, March 4, 2015 6:02 PM
    Friday, January 16, 2015 7:41 PM
  • Thanks Bill

    Iain

    Monday, January 19, 2015 9:51 AM