(2005-11-16) Script To Set Or Clear The Inheritance Flag On AD Objects
Posted by Jorge on 2005-11-16
I have seen several questions regarding setting the inheritance flag on AD objects. Possible reasons were:
* Inheritance was disabled on sub OUs for some reason
* Inheritance was disabled on CUSTOM users or groups that previously were members of default AD protected groups
I found the script below on the internet after googling for some time. I found it at: http://www.codecomments.com/archive299-2004-10-298672.html
A copy of the script can be found below. That script can be modified to use an input file with all the objects that need inheritance enabled again.
In the second case (the adminSDholder case) first query AD for all groups and users that have adminCount = 1.
For that you can use Joe’s ADFIND tool (http://www.joeware.net/win/free/tools/adfind.htm)
ADFIND -default -f "(&(|(&(objectCategory=person)(objectClass=user))(objectCategory=group))(adminCount=1))" -dn
From the result you get filter out all default protected users and groups AND custom groups that are still members of the protected groups.
Review what is left and put that into the input file and use the script below (first read the QUOTE!) to enable inheritance again.
You can use the same input file to reset the adminCount attribute to 0 or to <not set>. You could just use ADMOD (also from Joeware – http://www.joeware.net/win/free/tools/admod.htm) in conjunction with ADFIND and modify all objects that have adminCount=1 to adminCount=0. However you DON’T wanna do that as some objects have that attribute because they are protected by the adminSDHolder object. Although if you change it, it will be reset back. So you would be changing what should NOT be changed. Because you have a custom list objects to change you should use a script (e.g. VBS).
Maybe if we all ask real hard, Joe will modify ADMOD to accept an input file with DNs of objects to modify… ;-))
The VBScript program below will toggle this setting. That is, if "allow inheritable permissions" is enabled (as it is by default), this program will disable it. If it is disabled, the program will enable it. I have hard coded the Distinguished Name of the object in the program. It should work for any object in Active Directory. If you need to modify the program, remember you would use the "And" operator to test a bit in ‘intNtSecurityDescriptorControl’, the "Or" operator to set a bit, and the "Xor" operator (as below) to toggle the bit. The constant SE_DACL_PROTECTED represents just one bit of intNtSecurityDescriptorControl.
' VBScript program to toggle "allow inheritable permissions from ' parent to propagate to this object" on the Security tab of the object. Option Explicit Const SE_DACL_PROTECTED = &H1000 Dim objADObject, objNtSecurityDescriptor, intNtSecurityDescriptorControl ' Distinguished Name of user object hard coded. Set objADObject = GetObject("LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com") ' Retreive security descriptor object for this object. Set objNtSecurityDescriptor = objADObject.Get("ntSecurityDescriptor") ' Retrieve control settings. intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control ' Toggle the bit for "allow inheritable permissions". intNtSecurityDescriptorControl = intNtSecurityDescriptorControl Xor SE_DACL_PROTECTED ' Save control settings in the security descriptor object. objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl ' Save the security descriptor object. objADObject.Put "ntSecurityDescriptor", objNtSecurityDescriptor ' Update the user object. objADObject.SetInfo Wscript.Echo "Done"
Use this script at your own risk!
NOTE: as inheritance was disabled the ACLs on the parent object are copied onto the child object. If you enable inheritance on the target object that object can/will have the following "types" of permissions (depending on how inheritance was disabled – manually or through adminSDHolder object):
* Permissions defined in the schema for that type of target object
* Explicit permissions on the target object that were copied from the parent when inheritance was disabled
* Implicit permissions on the target object that are inherited from the parent object after re-enabling inheritance
* Explicit permissions set by the adminSDHolder object
To reset everything to normal you can use DSACLS with the option to reset the ACLs of the target object as defined in the schema. BE CAREFUL! -> if you have custom ACLs defined (e.g. because of delegations which is possible for OUs) those ACLs will be removed
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########