
Powershell: Fix Active Directory Permission Inheritance

CURRENT CONFIGURATION: Microsoft Windows 2003 Active Directory, Windows 2003 R2 x64 SP2 Domain Controller with Windows Powershell v 1.0

OBJECTIVE: Delegate AD permissions for some OU.

ISSUE: Some OU, Users, Group and Computers in AD have unchecked permissions settings "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here"

SOLUTION: I wrote a Powershell script AD_Permission_Inheritance_Enable.ps1
# *****************************************************************************
# Windows Powershell script
# Author:  Vadim Zenin http://vadimszenins.blogspot.com
# Version:  1.00
# Date:     10/11/2009 18:18:43
# Purpose: Restore Active Directory Permission Inheritance on Active
# Directory Objects
# Arguments:
# Args[0] OU distinguished Name
# Tested platform:
# Windows Powershell v 1.0,
# Windows 2003 R2 x64 SP2,
# Version 1.00 revision:
# This code is made available as is, without warranty of any kind. The entire
# risk of the use or the results from the use of this code remains with the user.
# *****************************************************************************
# http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23214970.html
# http://www.powershell.nu/wp-content/uploads/2009/02/get-ad.ps1

# Modify the string to exclude some classes
[string[]]$AllClasses = 'OrganizationalUnit','Computer','Person','Group'

# =============================================================================
# =============================================================================

# =============================================================================
# Function that returns true if the incoming argument is a help request
# =============================================================================
function IsHelpRequest
    return ($argument -eq "-?" -or $argument -eq "-help");

# =============================================================================
# Function: Get-Usage
# Author: Vadims Zenins
# Created: 30/10/2009 13:01:21
# Purpose: Script usage explanation and examples.
# Arguments: none
# Returns:
# =============================================================================
function Get-Usage()



Restore Active Directory Permission Inheritance on Active Directory Objects:
 'OrganizationalUnit', 'Computer', 'Person', 'Group' under either OU or
 Active Directory root
To exclude some class of object just modify next line on the top:
 $AllClasses = 'OrganizationalUnit','Computer','Person','Group'

`t"OU distinguished Name"

Enable Active Directory Permission Inheritance for "OU=TestOU,DC=MyCompany,DC=local"
.\$ScriptNameOnly.ps1 "OU=TestOU,DC=MyCompany,DC=local"
.\$ScriptNameOnly.ps1 "OU=TestOU,DC=MyCompany,DC=local" > report.log

Enable Active Directory Permission Inheritance for AD root
.\$ScriptNameOnly.ps1 "DC=MyCompany,DC=local"


# =============================================================================
# =============================================================================

$ScriptPath = $MyInvocation.MyCommand.Path
$ScriptNameOnly = [system.io.path]::GetFilenameWithoutExtension($ScriptPath)

# Check for Usage Statement Request
$args | foreach { if (IsHelpRequest $_) { Get-Usage; exit; } }

$yes = new-Object System.Management.Automation.Host.ChoiceDescription "&Yes",""
$no = new-Object System.Management.Automation.Host.ChoiceDescription "&No",""
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no)
$caption = "Question..."

# Prompt user if argument is empty to start search from AD root
if ($DN -eq $null) {
    $message = "Would you enable Active Directory Permission Inheritance for root?"
    $result = $host.ui.PromptForChoice($caption,$message,$choices,0)
    if($result -eq 0) {
        Write-Host "You answered YES"
        $DN = ([ADSI]"").distinguishedName
    } else {

Write-Host "Started in: $DN"

$ds = new-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$DN")

foreach ($aa in $AllClasses) {
    Write-Host "= $aa ="
    $ds.Filter = "(objectClass=$aa)"
    $AllItems = $ds.FindAll()
    foreach($ii in $AllItems) {
            $item = $ii.GetDirectoryEntry()
#        Write-Host "Processing $aa: $($item.sAMAccountName)"
            Write-Host "Processing $aa : $($item.distinguishedName)"
#            Enable Permission Inheritance on an Active Directory Object

Write-Host " Script $ScriptNameOnly has finished"

