Tech Line
An Inheritance You can Do Without
Here's how to check and enable permissions inheritance for user objects in AD.
Chris: I was wondering if you could possibly give me a solution to my
problem. Using Active Directory on Server 03 SE, quite a few of the users have
the "Allow inheritable permissions" check box cleared. I have delegated
control to a Group that has the ability to only reset passwords, and they aren't
able to do this on any user with the box cleared because they aren't inheriting
these permissions. Is there a script I can run or a setting I can check to automate
the process of going through and checking that box for all users? Any help would
greatly be appreciated.
--
Jeremy
Tech Help—Just An
E-Mail Away |
|
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at [email protected];
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
|
|
|
Jeremy: Good question. While many built-in user group objects (Administrators,
Domain Administrators and Backup Operators, to name a few) have permissions
inheritance disabled by default, having permissions inheritance disabled on
some user objects should be a concern. Sometimes permissions inheritance is
disabled for a specific reason that may be known by another member of your team.
So first, I would check to determine why inheritance was disabled on some accounts
in the first place. The last thing you want to do is enable inheritance to fix
your current problem only to create one more.
There is a known Windows issue that may be the cause of some of the user objects
in your domain having permissions inheritance disabled. To see more information
on this problem, take a look at the Microsoft Support article 817433 "Delegated
Permissions are Not Available and Inheritance is Automatically Disabled."
If none of your fellow administrators claim responsibility for disabling permissions
inheritance on some user objects, then this may be the cause of your problem.
Also, the problem may have resulted simply from upgrading from an earlier version
of Windows. Many Active Directory administrators have run into this, as well.
Now let me get on to answering your actual question. While you can view the
advanced security settings of each user object in Active Directory to see whether
permissions inheritance is disabled, an easier way to do this is by using a
vbscript. A great script for this task is Sakari Kouti's ADO
List Objects That Have Blocked ACL Inheritance.vbs script. To use this script,
just copy and paste its contents from your Web browser into Notepad and save
the file with a .VBS extension (example: auditinheritance.vbs). Since the script
echoes each object that has permissions inheritance disabled, you want to be
sure to run it using cscript (example: cscript auditinheritance.vbs). While
Sakari may appreciate the mention of his script here, I also feel compelled
to mention his book, as well. If you're looking for in-depth Active Directory
information, Inside
Active Directory, A System Administrator's Guide is as good as it gets.
I realize that listing the objects with permissions inheritance enabled is
only half the battle. One way to enable permissions inheritance on a user object
is with the support tool dsacls.exe. To enable permissions inheritance, you
would use the following syntax:
dsacls "" /P:N
Note that the command options are case sensitive, so both the P and N will
need to be capitalized. As an example, suppose you wanted to enable inheritance
for the user bwestbrook, who is located in the Staff OU in the mcpmag.com domain.
To enable permissions inheritance, you would run the following command:
dsacls "cn=bwestbrook,ou=staff,dc=mcpmag,dc=com" /P:N
If after running this command you notice that permissions inheritance is once
again disabled after a couple of hours, that tells you that the user object
is a member of a protected group and you'll need to follow the steps in Microsoft
KB article 817433 that I mentioned earlier to correct the problem.
Now if you have several users in which you need to enable permissions inheritance,
a scripted solution will be your best bet. Here is a script that I wrote that
will enable permissions inheritance for every user in an OU:
'enableperminheritance.vbs
'Set strOUpath variable to match the
'target OU in your domain
strOUpath = "ou=test,dc=bg,dc=net"
Const SE_DACL_PROTECTED = 0 'enables inheritance
'Connect to OU in Active Directory
set objConn = createObject("ADODB.Connection")
set objCommand = createObject("ADODB.Command")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConn
strUsrFil = "(&(objectCategory=person)(objectClass=user))"
objCommand.CommandText = "
">" & ";" & strUsrFil & ";" &
"sAMAccountName;subtree"
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objUserRecords = objCommand.Execute
intUserCount = 0 'user object counter
' Enable Permissions inheritance for each user
Do Until objUserRecords.EOF
intUserCount = intUserCount + 1
strUser = objUserRecords.Fields("sAMAccountName").Value
set objUser = GetObject ("LDAP://cn=" & strUser &_
"," & strOuPath)
Set objNTSec = objUser.Get("nTSecurityDescriptor")
intNTSecDes = objNTSec.Control
intNTSecDes = intNTSecDes And SE_DACL_PROTECTED
objNTSec.Control = intNTSecDes
objUser.Put "nTSecurityDescriptor", objNTSec
objUser.SetInfo
objUserRecords.MoveNext
Loop
' Output the number of records changed
' Note that the permissions inheritance flag is
' set on all users in the OU, regardless of whether
' or not it was already set.
wscript.echo("Enabled Permissions Inheritance for " &_
intUserCount & " users in the OU " & strOUpath)
Note that you will need to specify the target OU in the strOUpath variable.
Once the target OU is set, the script will enable the permissions inheritance
flag of every user object in the OU.
It seems like in IT we have a tendency to take words with good connotations
and turn them around. When family talks about "inheritance," you usually
assume you're about to get something. When a fellow IT staffer mentions inheritance,
your reaction is probably more along the lines of "What now?!"
Hopefully, one of the solutions mentioned in this column will help you to solve
your problem.