CURRENT CONFIGURATION: Microsoft Windows 2003 Active Directory, Windows 2003 R2 x64 SP2 Domain Controller with Windows Powershell v 1.0
OBJECTIVE: Delegate AD permissions for some OU.
ISSUE: Some OU, Users, Group and Computers in AD have unchecked permissions settings "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here"
SOLUTION: I wrote a Powershell script AD_Permission_Inheritance_Enable.ps1
# *****************************************************************************
# Windows Powershell script
# Author: Vadim Zenin http://vadimszenins.blogspot.com
# Version: 1.00
# Date: 10/11/2009 18:18:43
# Purpose: Restore Active Directory Permission Inheritance on Active
# Directory Objects
#
# Arguments:
# Args[0] OU distinguished Name
#
# Tested platform:
# Windows Powershell v 1.0,
# Windows 2003 R2 x64 SP2,
#
# Version 1.00 revision:
#
# This code is made available as is, without warranty of any kind. The entire
# risk of the use or the results from the use of this code remains with the user.
# *****************************************************************************
# http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23214970.html
# http://www.powershell.nu/wp-content/uploads/2009/02/get-ad.ps1
Param($DN)
# Modify the string to exclude some classes
[string[]]$AllClasses = 'OrganizationalUnit','Computer','Person','Group'
# =============================================================================
# FUNCTION LISTINGS
# =============================================================================
# =============================================================================
# Function that returns true if the incoming argument is a help request
# =============================================================================
function IsHelpRequest
{
param($argument)
return ($argument -eq "-?" -or $argument -eq "-help");
}
# =============================================================================
# Function: Get-Usage
# Author: Vadims Zenins
# Created: 30/10/2009 13:01:21
# Purpose: Script usage explanation and examples.
# Arguments: none
# Returns:
# =============================================================================
function Get-Usage()
{
@"
USAGE:
NAME:
$ScriptNameOnly.ps1
SYNOPSIS:
Restore Active Directory Permission Inheritance on Active Directory Objects:
'OrganizationalUnit', 'Computer', 'Person', 'Group' under either OU or
Active Directory root
To exclude some class of object just modify next line on the top:
$AllClasses = 'OrganizationalUnit','Computer','Person','Group'
PARAMETERS:
`t"OU distinguished Name"
EXAMPLES:
Enable Active Directory Permission Inheritance for "OU=TestOU,DC=MyCompany,DC=local"
.\$ScriptNameOnly.ps1 "OU=TestOU,DC=MyCompany,DC=local"
.\$ScriptNameOnly.ps1 "OU=TestOU,DC=MyCompany,DC=local" > report.log
Enable Active Directory Permission Inheritance for AD root
.\$ScriptNameOnly.ps1 "DC=MyCompany,DC=local"
.\$ScriptNameOnly.ps1
"@
}
# =============================================================================
# MAIN SCRIPT
# =============================================================================
$ScriptPath = $MyInvocation.MyCommand.Path
$ScriptNameOnly = [system.io.path]::GetFilenameWithoutExtension($ScriptPath)
# Check for Usage Statement Request
$args | foreach { if (IsHelpRequest $_) { Get-Usage; exit; } }
$yes = new-Object System.Management.Automation.Host.ChoiceDescription "&Yes",""
$no = new-Object System.Management.Automation.Host.ChoiceDescription "&No",""
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no)
$caption = "Question..."
# Prompt user if argument is empty to start search from AD root
if ($DN -eq $null) {
$message = "Would you enable Active Directory Permission Inheritance for root?"
$result = $host.ui.PromptForChoice($caption,$message,$choices,0)
if($result -eq 0) {
Write-Host "You answered YES"
$DN = ([ADSI]"").distinguishedName
} else {
Get-Usage
exit
}
}
Write-Host "Started in: $DN"
$ds = new-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$DN")
foreach ($aa in $AllClasses) {
Write-Host "= $aa ="
$ds.Filter = "(objectClass=$aa)"
$AllItems = $ds.FindAll()
foreach($ii in $AllItems) {
$item = $ii.GetDirectoryEntry()
# Write-Host "Processing $aa: $($item.sAMAccountName)"
Write-Host "Processing $aa : $($item.distinguishedName)"
# Enable Permission Inheritance on an Active Directory Object
$item.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$item.psbase.CommitChanges()
}
}
Write-Host " Script $ScriptNameOnly has finished"
Download md5: f03b9338d5267977d5c6c16a7c7981f9
Сообщения
5 комментариев:
SUPER! The script works fine.
Thank you, Vadim.
hello, I want only execute for user that not enabled the inheritance, not all of them can you help me?
what's the consequences if I enable all the user?
Hi krisna,
# Modify the string to exclude some classes
[string[]]$AllClasses = 'OrganizationalUnit','Computer','Person','Group'
The quickest way just keep class person
[string[]]$AllClasses = 'Person'
P.S. sorry, today is my last day before holidays
Hi Vadims, thx for your answer, but that's not what my intention, I want to search for the Person that inheritance is uncheck, can you help me? Thx again :)
You've saved my life... Thanks
Отправить комментарий