Enable AD Object Inheritance using Powershell

Here is an easy way to enable AD object inheritance using Powershell. This can be used for enabling (or disabling) inheritance on multiple AD objects.

#$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “DC=domain,DC=local”
$users = get-aduser JohnDo #test with a single user first

ForEach($user in $users)
    $dn= [ADSI](“LDAP://” + $user)
    $acl= $dn.psbase.objectSecurity
    if ($acl.get_AreAccessRulesProtected())
        $isProtected = $false # $false to enable inheritance
                              # $true to disable inheritance
        $preserveInheritance = $true # $true to keep inherited access rules
                                     # $false to remove inherited access rules.
                                     # ignored if isProtected=$false
        $acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
        Write-Host($user.SamAccountName + "|" + `
                   $user.DistinguishedName + `
                   "|inheritance set to enabled")
        write-host($user.SamAccountName + "|" + `
                   $user.DistinguishedName + `
                   "|inheritance already enabled")

For more information please refer to SetAccessRuleProtection Method.

Happy scripting!

2 thoughts on “Enable AD Object Inheritance using Powershell

  1. I’m trying to convert this for a script to allow objects on other AD domains to be modified. The script works fine for objects on the local AD domain, but how would you modify objects on other AD domains? The ‘$dn= [ADSI](“LDAP://” + $user)’ seems to expect the object to exist on the local domain, and I can’t figure out how to tell it to use a different DC.

  2. Hi Craig. What do you have for get-aduser? If you can post your modified script maybe we can help figure it out.

Leave a Reply

Your email address will not be published. Required fields are marked *