Here is an easy way to enable AD object inheritance using Powershell. This can be used for enabling (or disabling) inheritance on multiple AD objects.
#$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “DC=domain,DC=local”
$users = get-aduser JohnDo #test with a single user first
ForEach($user in $users)
{
$dn= [ADSI](“LDAP://” + $user)
$acl= $dn.psbase.objectSecurity
if ($acl.get_AreAccessRulesProtected())
{
$isProtected = $false # $false to enable inheritance
# $true to disable inheritance
$preserveInheritance = $true # $true to keep inherited access rules
# $false to remove inherited access rules.
# ignored if isProtected=$false
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$dn.psbase.commitchanges()
Write-Host($user.SamAccountName + "|" + `
$user.DistinguishedName + `
"|inheritance set to enabled")
}
else
{
write-host($user.SamAccountName + "|" + `
$user.DistinguishedName + `
"|inheritance already enabled")
}
}
For more information please refer to SetAccessRuleProtection Method.
Happy scripting!