set user inherit permissions check box using powershell
Hi All,
How can I set the the "include inherit permissions from this objects parent" propertiy in Active Directory user object to a list of users using powershell.
This option is not checked for some of my users and I'll like to set it using a powershell script.
Thanks
Simon
March 9th, 2011 2:58am
download Quest Active Directory:
Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance
or
Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance
or
$user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
$acl = $ouser.objectSecurity
$isProtected = $false # allows inheritance
$preserveInheritance = $true # preserve inherited rules
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$user.commitchanges()
-
Proposed as answer by
KazunMVP
Wednesday, March 09, 2011 1:03 PM
-
Marked as answer by
Dale QiaoModerator
Thursday, March 10, 2011 3:06 AM
-
Unmarked as answer by
Shimon1
Thursday, March 10, 2011 11:25 PM
-
Marked as answer by
Dale QiaoModerator
Friday, March 11, 2011 1:55 AM
-
Unmarked as answer by
Dale QiaoModerator
Friday, March 11, 2011 1:56 AM
March 9th, 2011 3:51pm
download Quest Active Directory:
Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance
or
Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance
or
$user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
$acl = $ouser.objectSecurity
$isProtected = $false # allows inheritance
$preserveInheritance = $true # preserve inherited rules
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$user.commitchanges()
-
Proposed as answer by
KazunMVP
Wednesday, March 09, 2011 1:03 PM
-
Marked as answer by
Dale QiaoModerator
Thursday, March 10, 2011 3:06 AM
-
Unmarked as answer by
Shimon1
Thursday, March 10, 2011 11:25 PM
-
Marked as answer by
Dale QiaoModerator
Friday, March 11, 2011 1:55 AM
-
Unmarked as answer by
Dale QiaoModerator
Friday, March 11, 2011 1:56 AM
March 9th, 2011 3:51pm
Thanks for that, I'll do what you said.
March 11th, 2011 2:00am
download Quest Active Directory:
Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance
or
Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance
or
$user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
$acl = $ouser.objectSecurity
$isProtected = $false # allows inheritance
$preserveInheritance = $true # preserve inherited rules
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$user.commitchanges()
I had this issue and using both of Kazun's methods worked. A mod should mark this as the answer.
October 25th, 2011 6:12pm
Is there a way to use the AD modules available in powershell now ?
I guess the QAD is the Quest tools?
April 12th, 2012 4:25pm
This works:
# For specific User:
$user = [adsi]"LDAP://cn=My User,ou=users,ou=MyCorp,dc=com"
$user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$user.psbase.CommitChanges()
# Or update all users in current domain:
Param($DN = ([ADSI]"").distinguishedName)
Write-Host "Using: $DN"
$ds = new-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$dn","(&(objectcategory=user)(objectclass=user))")
$users = $ds.FindAll()
foreach($usr in $users)
{
$user = $usr.GetDirectoryEntry()
Write-Host "Processing User: $($user.sAMAccountName)"
$user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$user.psbase.CommitChanges()
}
January 22nd, 2013 11:11pm
Hi,
Please help, how i can apply this script
$user = [adsi]"LDAP://cn=My User,ou=users,ou=MyCorp,dc=com"
$user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$user.psbase.CommitChanges()
for number of users in defined OU?
-
Edited by
Sergey Aslanov
Thursday, February 20, 2014 5:35 AM
February 20th, 2014 8:35am
Hi,
Please help, how i can apply this script
$user = [adsi]"LDAP://cn=My User,ou=users,ou=MyCorp,dc=com"
$user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$user.psbase.CommitChanges()
for number of users in defined OU?
-
Edited by
Sergey Aslanov
Thursday, February 20, 2014 5:35 AM
February 20th, 2014 8:35am
download Quest Active Directory:
Get-QADUser -SizeLimit 0 | ? {$_.DirectoryEntry.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnLockInheritance
or
Get-QADUser -SizeLimit 0 | ? {$_.security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance
or
$user = [ADSI]"LDAP://cn=kazun,ou=test,dc=contoso,dc=com"
$acl = $ouser.objectSecurity
$isProtected = $false # allows inheritance
$preserveInheritance = $true # preserve inherited rules
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$user.commitchanges()
this should not be marked as an answer as it involves purchasing software from dell to resolve
January 30th, 2015 3:08pm
Hi Chris,
hate to point that out, but ...
- There is no rule against advising the use of commercial products to solve your problems
- Option 3 in that post does not require any external tools.
Cheers,
Fred
January 30th, 2015 3:17pm