CURRENT CONFIGURATION: Microsoft Windows 2003 Active Directory, Windows 2003 R2 x64 SP2 Domain Controller with Windows Powershell v 1.0
OBJECTIVE: Delegate AD permissions for some OU.
ISSUE: Some OU, Users, Group and Computers in AD have unchecked permissions settings "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here"
SOLUTION: I wrote a Powershell script AD_Permission_Inheritance_Enable.ps1
# *****************************************************************************
# Windows Powershell script
# Author: Vadim Zenin http://vadimszenins.blogspot.com
# Version: 1.00
# Date: 10/11/2009 18:18:43
# Purpose: Restore Active Directory Permission Inheritance on Active
# Directory Objects
#
# Arguments:
# Args[0] OU distinguished Name
#
# Tested platform:
# Windows Powershell v 1.0,
# Windows 2003 R2 x64 SP2,
#
# Version 1.00 revision:
#
# This code is made available as is, without warranty of any kind. The entire
# risk of the use or the results from the use of this code remains with the user.
# *****************************************************************************
# http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23214970.html
# http://www.powershell.nu/wp-content/uploads/2009/02/get-ad.ps1
Param($DN)
# Modify the string to exclude some classes
[string[]]$AllClasses = 'OrganizationalUnit','Computer','Person','Group'
# =============================================================================
# FUNCTION LISTINGS
# =============================================================================
# =============================================================================
# Function that returns true if the incoming argument is a help request
# =============================================================================
function IsHelpRequest
{
param($argument)
return ($argument -eq "-?" -or $argument -eq "-help");
}
# =============================================================================
# Function: Get-Usage
# Author: Vadims Zenins
# Created: 30/10/2009 13:01:21
# Purpose: Script usage explanation and examples.
# Arguments: none
# Returns:
# =============================================================================
function Get-Usage()
{
@"
USAGE:
NAME:
$ScriptNameOnly.ps1
SYNOPSIS:
Restore Active Directory Permission Inheritance on Active Directory Objects:
'OrganizationalUnit', 'Computer', 'Person', 'Group' under either OU or
Active Directory root
To exclude some class of object just modify next line on the top:
$AllClasses = 'OrganizationalUnit','Computer','Person','Group'
PARAMETERS:
`t"OU distinguished Name"
EXAMPLES:
Enable Active Directory Permission Inheritance for "OU=TestOU,DC=MyCompany,DC=local"
.\$ScriptNameOnly.ps1 "OU=TestOU,DC=MyCompany,DC=local"
.\$ScriptNameOnly.ps1 "OU=TestOU,DC=MyCompany,DC=local" > report.log
Enable Active Directory Permission Inheritance for AD root
.\$ScriptNameOnly.ps1 "DC=MyCompany,DC=local"
.\$ScriptNameOnly.ps1
"@
}
# =============================================================================
# MAIN SCRIPT
# =============================================================================
$ScriptPath = $MyInvocation.MyCommand.Path
$ScriptNameOnly = [system.io.path]::GetFilenameWithoutExtension($ScriptPath)
# Check for Usage Statement Request
$args | foreach { if (IsHelpRequest $_) { Get-Usage; exit; } }
$yes = new-Object System.Management.Automation.Host.ChoiceDescription "&Yes",""
$no = new-Object System.Management.Automation.Host.ChoiceDescription "&No",""
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no)
$caption = "Question..."
# Prompt user if argument is empty to start search from AD root
if ($DN -eq $null) {
$message = "Would you enable Active Directory Permission Inheritance for root?"
$result = $host.ui.PromptForChoice($caption,$message,$choices,0)
if($result -eq 0) {
Write-Host "You answered YES"
$DN = ([ADSI]"").distinguishedName
} else {
Get-Usage
exit
}
}
Write-Host "Started in: $DN"
$ds = new-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$DN")
foreach ($aa in $AllClasses) {
Write-Host "= $aa ="
$ds.Filter = "(objectClass=$aa)"
$AllItems = $ds.FindAll()
foreach($ii in $AllItems) {
$item = $ii.GetDirectoryEntry()
# Write-Host "Processing $aa: $($item.sAMAccountName)"
Write-Host "Processing $aa : $($item.distinguishedName)"
# Enable Permission Inheritance on an Active Directory Object
$item.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$item.psbase.CommitChanges()
}
}
Write-Host " Script $ScriptNameOnly has finished"
Download md5: f03b9338d5267977d5c6c16a7c7981f9