Enable AD Object Inheritance using Powershell

An easy way to enable AD object inheritance using Powershell. This can be used for enabling (or disabling) inheritance on multiple AD objects.


#$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “DC=domain,DC=local”
$users = get-aduser JohnDo #test with a single user first

ForEach($user in $users)
{
    $dn= [ADSI](“LDAP://” + $user)
    $acl= $dn.psbase.objectSecurity
    if ($acl.get_AreAccessRulesProtected())
    {
        $isProtected = $false # $false to enable inheritance
                              # $true to disable inheritance
        $preserveInheritance = $true # $true to keep inherited access rules
                                     # $false to remove inherited access rules.
                                     # ignored if isProtected=$false
        $acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $dn.psbase.commitchanges()
        Write-Host($user.SamAccountName + "|" + `
                   $user.DistinguishedName + `
                   "|inheritance set to enabled")
    }
    else
    {
        write-host($user.SamAccountName + "|" + `
                   $user.DistinguishedName + `
                   "|inheritance already enabled")
    }
}

For more information please refer to SetAccessRuleProtection Method.

Happy scripting!

Leave a Comment

Your email address will not be published. Required fields are marked *