set user inherit permissions check box using powershell

Hi All,

How can I set the the  "include inherit permissions from this objects parent" propertiy in Active Directory user object to a list of users using powershell.

This option is not checked for some of my users and I'll like to set it using a powershell script.

 

Thanks

Simon

 

March 9th, 2011 2:58am

download Quest Active Directory:

 Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance

or 

Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance

or 

$user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
$acl = $ouser.objectSecurity

$isProtected = $false  # allows inheritance
$preserveInheritance = $true # preserve inherited rules

$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$user.commitchanges()

Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 3:51pm

download Quest Active Directory:

 Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance

or 

Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance

or 

$user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
$acl = $ouser.objectSecurity

$isProtected = $false  # allows inheritance
$preserveInheritance = $true # preserve inherited rules

$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$user.commitchanges()

March 9th, 2011 3:51pm

Thanks for that, I'll do what you said.
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2011 2:00am

download Quest Active Directory:

 Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance

or 

Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance

or 

 

$user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
$acl = $ouser.objectSecurity

$isProtected = $false  # allows inheritance
$preserveInheritance = $true # preserve inherited rules

$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$user.commitchanges()

 


I had this issue and using both of Kazun's methods worked. A mod should mark this as the answer.
October 25th, 2011 6:12pm

Is there a way to use the AD modules available in powershell now ?

I guess the QAD is the Quest tools?

Free Windows Admin Tool Kit Click here and download it now
April 12th, 2012 4:25pm

This works:

# For specific User:

$user = [adsi]"LDAP://cn=My User,ou=users,ou=MyCorp,dc=com"
$user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$user.psbase.CommitChanges()


# Or update all users in current domain:

Param($DN = ([ADSI]"").distinguishedName)
Write-Host "Using: $DN"
$ds = new-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$dn","(&(objectcategory=user)(objectclass=user))")
$users = $ds.FindAll()
foreach($usr in $users)
{
    $user = $usr.GetDirectoryEntry()
    Write-Host "Processing User: $($user.sAMAccountName)"
    $user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
    $user.psbase.CommitChanges()
}
January 22nd, 2013 11:11pm

Hi,

Please help, how i can apply this script 

$user = [adsi]"LDAP://cn=My User,ou=users,ou=MyCorp,dc=com"
$user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$user.psbase.CommitChanges()


 for number of users in defined OU?
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2014 8:35am

Hi,

Please help, how i can apply this script 

$user = [adsi]"LDAP://cn=My User,ou=users,ou=MyCorp,dc=com"
$user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$user.psbase.CommitChanges()


 for number of users in defined OU?
February 20th, 2014 8:35am

download Quest Active Directory:

 Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance

or 

Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance

or 

$user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
$acl = $ouser.objectSecurity

$isProtected = $false  # allows inheritance
$preserveInheritance = $true # preserve inherited rules

$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$user.commitchanges()


this should not be marked as an answer as it involves purchasing software from dell to resolve
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2015 3:08pm

Hi Chris,

hate to point that out, but ...

  • There is no rule against advising the use of commercial products to solve your problems
  • Option 3 in that post does not require any external tools.

Cheers,
Fred

January 30th, 2015 3:17pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics