Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, April 3, 2014 5:28 PM | 1 vote
We are currently migrating our users from Exchange 2003 to Exchange 2010. In our Exchange 2003 environment on the AD user properties > security tab > advanced ‘allow inheritable permissions from the parent to propagate to this object and all child objects. Include these entries explicitly defined here.’ is unticked.
I’m looking for a powershell script that will report all users who have this box unchecked and a second script to run through and check on the required users.
Hopefully this isn't to big a job and someone would be able to help me out?
Many Thanks
All replies (2)
Thursday, April 3, 2014 6:04 PM ✅Answered | 1 vote
To identify the accounts, try this:
Get-ADUser -Filter * -Properties ntSecurityDescriptor |
Where-Object { $_.ntSecurityDescriptor.AreAccessRulesProtected }
To re-enable permission inheritance, you'd need to call SetAccessRuleProtection($false, $true) on each ntSecurityDescriptor object, and commit the changes back to the directory. Something like this (though I haven't tested this part):
Get-ADUser -Filter * -Properties ntSecurityDescriptor |
Where-Object { $_.ntSecurityDescriptor.AreAccessRulesProtected } |
ForEach-Object {
$_.ntSecurityDescriptor.SetAccessRuleProtection($false, $true)
$_ | Set-ADUser -Replace @{ntSecurityDescriptor = $_.ntSecurityDescriptor}
}
Thursday, April 3, 2014 5:35 PM
I think DSACLS might do what you need.