Tech Line

An Inheritance You can Do Without

Here's how to check and enable permissions inheritance for user objects in AD.

Chris: I was wondering if you could possibly give me a solution to my problem. Using Active Directory on Server 03 SE, quite a few of the users have the "Allow inheritable permissions" check box cleared. I have delegated control to a Group that has the ability to only reset passwords, and they aren't able to do this on any user with the box cleared because they aren't inheriting these permissions. Is there a script I can run or a setting I can check to automate the process of going through and checking that box for all users? Any help would greatly be appreciated.
--Jeremy

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at editor@mcpmag.com; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Jeremy: Good question. While many built-in user group objects (Administrators, Domain Administrators and Backup Operators, to name a few) have permissions inheritance disabled by default, having permissions inheritance disabled on some user objects should be a concern. Sometimes permissions inheritance is disabled for a specific reason that may be known by another member of your team. So first, I would check to determine why inheritance was disabled on some accounts in the first place. The last thing you want to do is enable inheritance to fix your current problem only to create one more.

There is a known Windows issue that may be the cause of some of the user objects in your domain having permissions inheritance disabled. To see more information on this problem, take a look at the Microsoft Support article 817433 "Delegated Permissions are Not Available and Inheritance is Automatically Disabled." If none of your fellow administrators claim responsibility for disabling permissions inheritance on some user objects, then this may be the cause of your problem. Also, the problem may have resulted simply from upgrading from an earlier version of Windows. Many Active Directory administrators have run into this, as well.

Now let me get on to answering your actual question. While you can view the advanced security settings of each user object in Active Directory to see whether permissions inheritance is disabled, an easier way to do this is by using a vbscript. A great script for this task is Sakari Kouti's ADO List Objects That Have Blocked ACL Inheritance.vbs script. To use this script, just copy and paste its contents from your Web browser into Notepad and save the file with a .VBS extension (example: auditinheritance.vbs). Since the script echoes each object that has permissions inheritance disabled, you want to be sure to run it using cscript (example: cscript auditinheritance.vbs). While Sakari may appreciate the mention of his script here, I also feel compelled to mention his book, as well. If you're looking for in-depth Active Directory information, Inside Active Directory, A System Administrator's Guide is as good as it gets.

I realize that listing the objects with permissions inheritance enabled is only half the battle. One way to enable permissions inheritance on a user object is with the support tool dsacls.exe. To enable permissions inheritance, you would use the following syntax:

dsacls "" /P:N

Note that the command options are case sensitive, so both the P and N will need to be capitalized. As an example, suppose you wanted to enable inheritance for the user bwestbrook, who is located in the Staff OU in the mcpmag.com domain. To enable permissions inheritance, you would run the following command:

dsacls "cn=bwestbrook,ou=staff,dc=mcpmag,dc=com" /P:N

If after running this command you notice that permissions inheritance is once again disabled after a couple of hours, that tells you that the user object is a member of a protected group and you'll need to follow the steps in Microsoft KB article 817433 that I mentioned earlier to correct the problem.

Now if you have several users in which you need to enable permissions inheritance, a scripted solution will be your best bet. Here is a script that I wrote that will enable permissions inheritance for every user in an OU:

'enableperminheritance.vbs
'Set strOUpath variable to match the
'target OU in your domain
strOUpath = "ou=test,dc=bg,dc=net"

Const SE_DACL_PROTECTED = 0 'enables inheritance

'Connect to OU in Active Directory
set objConn = createObject("ADODB.Connection")
set objCommand = createObject("ADODB.Command")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConn
strUsrFil = "(&(objectCategory=person)(objectClass=user))"
objCommand.CommandText = "
">" & ";" & strUsrFil & ";" & "sAMAccountName;subtree"
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objUserRecords = objCommand.Execute

intUserCount = 0 'user object counter

' Enable Permissions inheritance for each user
Do Until objUserRecords.EOF
intUserCount = intUserCount + 1
strUser = objUserRecords.Fields("sAMAccountName").Value
set objUser = GetObject ("LDAP://cn=" & strUser &_
"," & strOuPath)
Set objNTSec = objUser.Get("nTSecurityDescriptor")
intNTSecDes = objNTSec.Control
intNTSecDes = intNTSecDes And SE_DACL_PROTECTED
objNTSec.Control = intNTSecDes
objUser.Put "nTSecurityDescriptor", objNTSec
objUser.SetInfo
objUserRecords.MoveNext
Loop

' Output the number of records changed
' Note that the permissions inheritance flag is
' set on all users in the OU, regardless of whether
' or not it was already set.
wscript.echo("Enabled Permissions Inheritance for " &_
intUserCount & " users in the OU " & strOUpath)

Note that you will need to specify the target OU in the strOUpath variable. Once the target OU is set, the script will enable the permissions inheritance flag of every user object in the OU.

It seems like in IT we have a tendency to take words with good connotations and turn them around. When family talks about "inheritance," you usually assume you're about to get something. When a fellow IT staffer mentions inheritance, your reaction is probably more along the lines of "What now?!"

Hopefully, one of the solutions mentioned in this column will help you to solve your problem.

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.