none
AD User - Update inheritable persmission

    Question

  • We are currently migrating our users from Exchange 2003 to Exchange 2010. In our Exchange 2003 environment on the AD user properties > security tab > advanced ‘allow inheritable permissions from the parent to propagate to this object and all child objects. Include these entries explicitly defined here.’ is unticked.

    I’m looking for a powershell script that will report all users who have this box unchecked and a second script to run through and check on the required users.

    Hopefully this isn't to big a job and someone would be able to help me out?

    Many Thanks

    Thursday, April 3, 2014 5:28 PM

Answers

  • To identify the accounts, try this:

    Get-ADUser -Filter * -Properties ntSecurityDescriptor |
    Where-Object { $_.ntSecurityDescriptor.AreAccessRulesProtected }

    To re-enable permission inheritance, you'd need to call SetAccessRuleProtection($false, $true) on each ntSecurityDescriptor object, and commit the changes back to the directory.  Something like this (though I haven't tested this part):

    Get-ADUser -Filter * -Properties ntSecurityDescriptor |
    Where-Object { $_.ntSecurityDescriptor.AreAccessRulesProtected } |
    ForEach-Object {
        $_.ntSecurityDescriptor.SetAccessRuleProtection($false, $true)
        $_ | Set-ADUser -Replace @{ntSecurityDescriptor = $_.ntSecurityDescriptor}
    }

    • Marked as answer by MikeTate Friday, April 4, 2014 3:37 PM
    Thursday, April 3, 2014 6:04 PM

All replies

  • I think DSACLS might do what you need. 

    http://technet.microsoft.com/en-us/library/cc771151.aspx

    Thursday, April 3, 2014 5:35 PM
  • To identify the accounts, try this:

    Get-ADUser -Filter * -Properties ntSecurityDescriptor |
    Where-Object { $_.ntSecurityDescriptor.AreAccessRulesProtected }

    To re-enable permission inheritance, you'd need to call SetAccessRuleProtection($false, $true) on each ntSecurityDescriptor object, and commit the changes back to the directory.  Something like this (though I haven't tested this part):

    Get-ADUser -Filter * -Properties ntSecurityDescriptor |
    Where-Object { $_.ntSecurityDescriptor.AreAccessRulesProtected } |
    ForEach-Object {
        $_.ntSecurityDescriptor.SetAccessRuleProtection($false, $true)
        $_ | Set-ADUser -Replace @{ntSecurityDescriptor = $_.ntSecurityDescriptor}
    }

    • Marked as answer by MikeTate Friday, April 4, 2014 3:37 PM
    Thursday, April 3, 2014 6:04 PM