How to check and enable permissions inheritance for user objects in AD

While many built-in user group objects (Administrators, Domain Administrators and Backup Operators, to name a few) have permissions inheritance disabled by default, having permissions inheritance disabled on some user objects should be a concern.

There is a known Windows issue that may be the cause of some of the user objects in your domain having permissions inheritance disabled. To see more information on this problem, take a look at the Microsoft Support article 817433 “Delegated Permissions are Not Available and Inheritance is Automatically Disabled” . Also, the problem may have resulted simply from upgrading from an earlier version of Windows. Many Active Directory administrators have run into this, as well.

While you can view the advanced security settings of each user object in Active Directory to see whether permissions inheritance is disabled, an easier way to do this is by using a vbscript. A great script for this task is Sakari Kouti’s ADO List Objects That Have Blocked ACL Inheritance.vbs script . To use this script, just copy and paste its contents from your Web browser into Notepad and save the file with a .VBS extension (example: auditinheritance.vbs). Since the script echoes each object that has permissions inheritance disabled, you want to be sure to run it using cscript (example: cscript auditinheritance.vbs). While Sakari may appreciate the mention of his script here, I also feel compelled to mention his book, as well. If you’re looking for in-depth Active Directory information, “Inside Active Directory, A System Administrator’s Guide” is as good as it gets.

Listing the objects with permissions inheritance enabled is only half the battle. One way to enable permissions inheritance on a user object is with the support tool dsacls.exe. To enable permissions inheritance, you would use the following syntax:

dsacls “” /P:N

Note that the command options are case sensitive, so both the P and N will need to be capitalized. As an example, suppose you wanted to enable inheritance for the user bwestbrook, who is located in the Staff OU in the domain. To enable permissions inheritance, you would run the following command:

dsacls “cn=bwestbrook,ou=staff,dc=mcpmag,dc=com” /P:N

If after running this command you notice that permissions inheritance is once again disabled after a couple of hours, that tells you that the user object is a member of a protected group and you’ll need to follow the steps in Microsoft KB article 817433 mentioned
earlier to correct the problem.

Now if you have several users in which you need to enable permissions inheritance, a scripted solution will be your best bet. Here is a script that will enable permissions inheritance for every user in an OU:

‘Set strOUpath variable to match the
‘target OU in your domain
strOUpath = “ou=test,dc=bg,dc=net”

Const SE_DACL_PROTECTED = 0 ‘enables inheritance

‘Connect to OU in Active Directory
set objConn = createObject(“ADODB.Connection”)
set objCommand = createObject(“ADODB.Command”)
objConn.Provider = “ADsDSOObject”
objConn.Open “Active Directory Provider”
Set objCommand.ActiveConnection = objConn
strUsrFil = “(&(objectCategory=person)(objectClass=user))”
objCommand.CommandText = “<ldap://” & strOUpath &_
“>” & “;” & strUsrFil & “;” & “sAMAccountName;subtree”
objCommand.Properties(“Page Size”) = 100
objCommand.Properties(“Timeout”) = 30
objCommand.Properties(“Cache Results”) = False
Set objUserRecords = objCommand.Execute

intUserCount = 0 ‘user object counter

‘ Enable Permissions inheritance for each user
Do Until objUserRecords.EOF
intUserCount = intUserCount + 1
strUser = objUserRecords.Fields(“sAMAccountName”).Value
set objUser = GetObject (“LDAP://cn=” & strUser &_
“,” & strOuPath)
Set objNTSec = objUser.Get(“nTSecurityDescriptor”)
intNTSecDes = objNTSec.Control
objNTSec.Control = intNTSecDes
objUser.Put “nTSecurityDescriptor”, objNTSec

‘ Output the number of records changed
‘ Note that the permissions inheritance flag is
‘ set on all users in the OU, regardless of whether
‘ or not it was already set.
wscript.echo(“Enabled Permissions Inheritance for ” &_
intUserCount & ” users in the OU ” & strOUpath)

Note that you will need to specify the target OU in the strOUpath variable. Once the target OU is set, the script will enable the permissions inheritance flag of every user object in the OU.

It seems like in IT we have a tendency to take words with good connotations and turn them around. When family talks about “inheritance,” you usually assume you’re about to get something. When a fellow IT staffer mentions inheritance, your reaction is probably more along the lines of “What now?!”



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: