1

I need to change the "Include inheritable permissions from this object's parent" for all users in my domain that belong to a security group called "Employees". I've included a screen shot what I need changed. I need the checkbox CHECKED. I have no prior Powershell experience, and this must be automated otherwise it's going to take me LOOONG time to do this manually.

Thanks!

enter image description here

DobotJr
  • 236
  • 1
  • 8
  • Isn't that checkbox specific to the Access Control List, not the Access Control Entry? Please forgive me, either I misunderstand, or your question is nonsensical. Are the user objects not currently inheriting anything at all? – john Jul 10 '13 at 20:58
  • @john you are right, the checkbox is specific to the ACL not the entry. The users are currently not inheriting permissions. All I need to do is have that checkbox checked. – DobotJr Jul 10 '13 at 21:11
  • I see. I was confused by the highlighting of the ACE or I missed the relevance of it then. – john Jul 10 '13 at 21:24
  • Is this related to http://support.microsoft.com/kb/306398 by any chance? I only ask because I've just stumbled across this problem myself. It might be worth including it in the Q if so. – john Jul 16 '13 at 08:21

2 Answers2

1

You're interpreting the "Advanced Security Settings for ballardc" dialog improperly.

The "Include inheritable permissions from this object's parent" is a setting that applies to the "ballardc" object, not to the individual access control entry (ACE) that you've highlighted in the view of the access control list (ACL). The "ballardc" object is inheriting any inheritable ACEs from its parent container (the OU or container object in the Active Directory (AD) where it's located).

Edit:

I see your comment to @john above, and in light of that:

By default all newly-created user objects in the AD inherit permissions from their parents. If somebody has gone and changed that on all the user objects then there is likely some reason. I'd be wary of just turning inheritance back on without understanding why first.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
0

I've experience with PowerShell but not Quest tools, which is what seems to be the accepted toolkit. It would go something like this (assuming you have the relevant permissions): 

Get-QADGroupMember group@domain.com | % { Set-QADObjectSecurity $_.UserPrincipalName -UnlockInheritance}

(% is an alias of the ForEach-Object CMDlet which takes the input collection of items and runs the same script block on each of them)

The references for these commands are:

And can be downloaded here http://www.quest.com/powershell/activeroles-server.aspx

I hope you learn to have fun with Powershell, it's invaluable to me now.

john
  • 1,995
  • 2
  • 17
  • 30