Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2005-11-16) Script To Set Or Clear The Inheritance Flag On AD Objects

Posted by Jorge on 2005-11-16

I have seen several questions regarding setting the inheritance flag on AD objects. Possible reasons were:

* Inheritance was disabled on sub OUs for some reason

* Inheritance was disabled on CUSTOM users or groups that previously were members of default AD protected groups

I found the script below on the internet after googling for some time. I found it at:

A copy of the script can be found below. That script can be modified to use an input file with all the objects that need inheritance enabled again.

In the second case (the adminSDholder case) first query AD for all groups and users that have adminCount = 1.

For that you can use Joe’s ADFIND tool (

ADFIND -default -f "(&(|(&(objectCategory=person)(objectClass=user))(objectCategory=group))(adminCount=1))" -dn

From the result you get filter out all default protected users and groups AND custom groups that are still members of the protected groups.

Review what is left and put that into the input file and use the script below (first read the QUOTE!) to enable inheritance again.

You can use the same input file to reset the adminCount attribute to 0 or to <not set>. You could just use ADMOD (also from Joeware – in conjunction with ADFIND and modify all objects that have adminCount=1 to adminCount=0. However you DON’T wanna do that as some objects have that attribute because they are protected by the adminSDHolder object. Although if you change it, it will be reset back. So you would be changing what should NOT be changed. Because you have a custom list objects to change you should use a script (e.g. VBS).

Maybe if we all ask real hard, Joe will modify ADMOD to accept an input file with DNs of objects to modify… ;-))



The VBScript program below will toggle this setting. That is, if "allow inheritable permissions" is enabled (as it is by default), this program will disable it. If it is disabled, the program will enable it. I have hard coded the Distinguished Name of the object in the program. It should work for any object in Active Directory. If you need to modify the program, remember you would use the "And" operator to test a bit in ‘intNtSecurityDescriptorControl’, the "Or" operator to set a bit, and the "Xor" operator (as below) to toggle the bit. The constant SE_DACL_PROTECTED represents just one bit of intNtSecurityDescriptorControl.


' VBScript program to toggle "allow inheritable permissions from ' parent to propagate to this object" on the Security tab of the object. Option Explicit Const SE_DACL_PROTECTED = &H1000 Dim objADObject, objNtSecurityDescriptor, intNtSecurityDescriptorControl ' Distinguished Name of user object hard coded. Set objADObject = GetObject("LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com") ' Retreive security descriptor object for this object. Set objNtSecurityDescriptor = objADObject.Get("ntSecurityDescriptor") ' Retrieve control settings. intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control ' Toggle the bit for "allow inheritable permissions". intNtSecurityDescriptorControl = intNtSecurityDescriptorControl Xor SE_DACL_PROTECTED ' Save control settings in the security descriptor object. objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl ' Save the security descriptor object. objADObject.Put "ntSecurityDescriptor", objNtSecurityDescriptor ' Update the user object. objADObject.SetInfo Wscript.Echo "Done"

Use this script at your own risk!

NOTE: as inheritance was disabled the ACLs on the parent object are copied onto the child object. If you enable inheritance on the target object that object can/will have the following "types" of permissions (depending on how inheritance was disabled – manually or through adminSDHolder object):

* Permissions defined in the schema for that type of target object

* Explicit permissions on the target object that were copied from the parent when inheritance was disabled

* Implicit permissions on the target object that are inherited from the parent object after re-enabling inheritance

* Explicit permissions set by the adminSDHolder object


To reset everything to normal you can use DSACLS with the option to reset the ACLs of the target object as defined in the schema. BE CAREFUL! -> if you have custom ACLs defined (e.g. because of delegations which is possible for OUs) those ACLs will be removed




* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!



############### Jorge’s Quest For Knowledge #############

######### ########



9 Responses to “(2005-11-16) Script To Set Or Clear The Inheritance Flag On AD Objects”

  1. This is a very nice script, I like it maybe we should .net it?

    What you think


  2. could be interesting as a tool as there is nothing else to find…

    it need more intelligence though.. like
    * accepting input files
    * an option to enable or disable it
    * possibly checking if, for mistake, protected groups/users are involved (by checking the definition in AD and by checking transitive group membership)


  3. Hi Jorge,

    I was expecting the full blown solution, which would take care of finding all security prinicipal with admincount=1, then excluding current protected groups and its nested members, and then finally resetting inheritance and changing admincount=0… phew…

    I am hoping that, i will be able to pull this off in this weekend.
    If I am successful, I will post the code in Activedir mailing list for everyone’s review.

    Thanks for the basic algorithm 🙂
    and of course, for this starting code.



  4. Kamlesh or Jorge,

    please make sure you update this blog entry if Kamlesh gets the code to work for those that are monitoring this blog!



  5. Hi Guys,
    While looking for programatically finding which groups are protected, I stumbled upon this KB 817433 article, which has the almost perfect script ready. The LDAP query needs to be changed to include groups.

    I will refine it & optimize it so that, it excludes protected group members.



  6. Kamlesh,

    That script does exactly the same as the script I posted. The only difference is the admincount part.
    Nonetheless you cannot just run that script, as I mentioned, because you also have accounts that should be configured with the admincount=1. Examples are administrator, krbtgt and all other custom users and groups you made member of protected groups (and still should be). So you still SHOULD filter those out. So that is why I described the procedure above in different steps


  7. Jorge,

    That script won’t do any considerable harm as current protected member’s inheritance and admincount will be changed again in next MAX one hour by PDC.

    But then again, why take risk that, someone would change membership of protected groups in mean time.

    Anyway, I was able to successfully exclude the nested members of protected group, and reset other members admincount and set inheritance.

    I have used the above script for inheritance and admincount stuff.

    But I have used dsquery, dsget and find.exe to comeup with list of users who need the change. (excluding protected members)

    I don’t know what is max length for comment, so I will put the code at activedir mailing list for review.

    Thanks for everything.



  8. I understand what the script does and that is touvhes each object. However, my personal opinion is that I don’t like to touch things that do not need change and then waiting until it gets repaired. I prefer to touch only those objects that need changes

    Glad everything worked for you!


  9. […] Also see:… […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: