Enable AD Object Inheritance using Powershell

Here is an easy way to enable AD object inheritance using Powershell. This can be used for enabling (or disabling) inheritance on multiple AD objects.

#$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “DC=domain,DC=local”
$users = get-aduser JohnDo #test with a single user first

ForEach($user in $users)
    $dn= [ADSI](“LDAP://” + $user)
    $acl= $dn.psbase.objectSecurity
    if ($acl.get_AreAccessRulesProtected())
        $isProtected = $false # $false to enable inheritance
                              # $true to disable inheritance
        $preserveInheritance = $true # $true to keep inherited access rules
                                     # $false to remove inherited access rules.
                                     # ignored if isProtected=$false
        $acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
        Write-Host($user.SamAccountName + "|" + `
                   $user.DistinguishedName + `
                   "|inheritance set to enabled")
        write-host($user.SamAccountName + "|" + `
                   $user.DistinguishedName + `
                   "|inheritance already enabled")

For more information please refer to SetAccessRuleProtection Method.

Happy scripting!

Leave a Reply

Your email address will not be published. Required fields are marked *