Active Directory Permission Inheritance (The Glories of Consistency!)
Someone asked a question (on experts-exchange) about how to Enable Permission Inheritance on an Active Directory Object.
Here is what I came up with.
# Enable AD Permission Inheritance on an Object
Param($DN)
$user = [ADSI]"LDAP://$dn"
$user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$user.psbase.CommitChanges()
Param($DN)
$user = [ADSI]"LDAP://$dn"
$user.psbase.ObjectSecurity.SetAccessRuleProtection($false,$true)
$user.psbase.CommitChanges()
During the same thread someone also asked how to do it in the File System.
Check it out… It is very similar.
# Enable File Permission Inheritance on an Object
Param($path)
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($false,$true)
set-Acl -aclObject $acl -path $path
Param($path)
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($false,$true)
set-Acl -aclObject $acl -path $path
This is just another case where relying on .NET framework provides power and consistency.
tshell :: Mar.10.2008 :: Active Directory, Powershell :: 2 Comments »
Hi BSonPosh,
You pointed me to this page on expert-exchange as per my question on scripting ACES reordering in DACLs. IF you use your first script hereabove to remove inheritance and then try to modify permissions with Add- or remove-adpermission, you’ll surely encounter my problem. If ever you find a scriptable solution, I’m defenetely interested. Regards, RsjR
Hi BSonPosh,
I’ve been finding answers to many of my questions in your responses on experts-exchange.com and I believe that I will have much to learn from you for a very long time :c)
I’ve tried your script here to remove inheritance on all address list in Exchange 2007 (setting up a hosting solution), but when I then take a look at the security tab of that CN in ADSI Edit, I get an error that the permissions are incorrectly ordered. Are you familiar with that problem?
Best regards,
Flemming