Enable AD Object Inheritance using Powershell

By iTomationPowerShell, Powershell (Scripts), Script Repository, Uncategorized

In Active Directory (AD), object inheritance controls how permissions are passed down from parent Organizational Units (or OUs) to the objects within them. By default, AD objects inherit permissions from their parent container unless inheritance is explicitly disabled.

In certain cases, such as with privileged accounts that have their adminCount attribute set to 0 due to changes in their privilege level, we may find object inheritance is disabled on those objects. This can lead to issues where permissions are not inherited as expected, potentially causing inconsistent access controls. For these situations, we may need to explicitly re-enable inheritance.

Here’s an easy way to enable (or disable) AD object inheritance using PowerShell. This script allows you to automate the process and apply it to multiple AD objects at once.


#$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “DC=domain,DC=local”
$users = get-aduser JohnDo #test with a single user first

ForEach($user in $users)
{
    $dn= [ADSI](“LDAP://” + $user)
    $acl= $dn.psbase.objectSecurity
    if ($acl.get_AreAccessRulesProtected())
    {
        $isProtected = $false # $false to enable inheritance
                              # $true to disable inheritance
        $preserveInheritance = $true # $true to keep inherited access rules
                                     # $false to remove inherited access rules.
                                     # ignored if isProtected=$false
        $acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $dn.psbase.commitchanges()
        Write-Host($user.SamAccountName + "|" + `
                   $user.DistinguishedName + `
                   "|inheritance set to enabled")
    }
    else
    {
        write-host($user.SamAccountName + "|" + `
                   $user.DistinguishedName + `
                   "|inheritance already enabled")
    }
}

For more information please refer to SetAccessRuleProtection Method.

Happy scripting!

2 thoughts on “Enable AD Object Inheritance using Powershell

  1. I’m trying to convert this for a script to allow objects on other AD domains to be modified. The script works fine for objects on the local AD domain, but how would you modify objects on other AD domains? The ‘$dn= [ADSI](“LDAP://” + $user)’ seems to expect the object to exist on the local domain, and I can’t figure out how to tell it to use a different DC.

    Reply

    1. Hi Craig. What do you have for get-aduser? If you can post your modified script maybe we can help figure it out.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *