2011/02/16

Active Directory - List and Set/Fix AD users not inheriting permissions

updated: 2013/03/29

Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.

If the Allow and Deny permission check boxes in the various parts of the access control user interface are shaded when you view the permissions of an object, the object has inherited permissions from a parent object. You can set these inherited permissions by using the Permissions tab of the Advanced Security Settings properties page.

Check Technet for more information

Here is the PowerShell way to check which users does not have Inheriting Permission and How to Enabling it for all your users. You will need to user Quest Active Directory Snapin

List Users without Inheriting Permission
# This Command will list the user not inheriting Permission
Get-QADUser -SizeLimit 0 | `
Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected}


Enabling Inheriting Permission for all Users
# This Command will enable inheriting Permission for all the accounts
Get-QADUser -SizeLimit 0 | `
Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected} | `
Set-QADObjectSecurity -UnLockInheritance

4 comments:

  1. Apart from Bulk Management for all AD objects, ADManager Plus also offers 150+reports (for IT compliance) & helpdesk delegation! Specialty: Shortcuts for everyday AD & office management actions! Attraction: Affordable pricing and perfect scalability!

    http://www.manageengine.com/products/ad-manager/

    ReplyDelete
  2. ADSelfService Plus is “4 services sold at the price of 1”! This end-user product offers password self-service, Active Directory Self-Service Update, People Search, and Password Expiry Notifier (a very useful tool for VPN users).

    http://www.manageengine.com/products/self-service-password/

    ReplyDelete
  3. ADAudit Plus is a valuable security tool that will help you be compliant with all the IT regulatory acts. With this tool, you can monitor user activity such as logon, file access, etc. A configurable alert system warns you of potential threats.

    http://www.manageengine.com/products/active-directory-audit/

    ReplyDelete
  4. The tool offers Exchanger server traffic analysis, mailbox size, public folder size, & other important reports. It is also an important security tool as it points out inactive mailboxes and offers Mailbox & Public folder content reports!

    http://www.manageengine.com/products/exchange-reports/

    ReplyDelete