AD: Reset permissions on all child objects in an OU

X

XOR != OR

[H]F Junkie
Joined
Jun 17, 2003
Messages
11,547
So I have a tree I took over maintenance on, and I have been reorganizing as I go. I have granted access to our help desk folks to reset permissions and change the account lock out time ( necessary for them to unlock accounts ). I applied this setting at the parent OU for the users I want them administrating, but they have been unable to do so. Doing some digging, the permissions I applied at the parent OU are not automatically applying to the user objects which live within it and below it.

I can manually go in there and apply parent permissions to the objects and achieve the desired results, but there are thousands of accounts I'd have to touch. While I could vbscript it, I'm sure, I'm looking for a more elegant solution. Just like you can apply permissions to subordinate objects on a file system, I'd assume a similar option exists somewhere, and I'm just overlooking it.
 
In Active Directory Users and Computers, under View, make sure Advanced Features is checked. That should show the Security tab on properties of objects. The advanced button on this tab has the Inherit checkbox.
 
Found out a bit more information; this box is unchecked at regular intervals if the user account is part of a "protected group", like domain admins. Which all accounts in the domain were...don't ask.

Ya, I can see the check box. I want to recheck it for all users under a specific OU.
 
Code: 
On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2
Const SE_DACL_PROTECTED  = &H1000
Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

objCommand.CommandText = _
    "SELECT * FROM 'LDAP://ou=Target Users,dc=some,dc=domain,dc=com' WHERE objectCategory='user'"  
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
    'Wscript.echo objRecordSet.Fields.Item(0)
    'WScript.Echo right( objRecordSet.Fields.Item(0), Len( objRecordSet.Fields.Item(0) ) -7 )

Set objUser = GetObject(objRecordSet.Fields.Item(0))
Wscript.Echo "User: " & objUser.sAMAccountName

Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
  Wscript.Echo "Allow inheritable permissions check box disabled"
  intNtSecurityDescriptorControl = intNtSecurityDescriptorControl Xor SE_DACL_PROTECTED
  objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl
  objUser.Put "ntSecurityDescriptor", objNtSecurityDescriptor
  objUser.SetInfo
Else
  'Wscript.Echo "Allow inheritable permissions check box enabled"
End If    
    objRecordSet.MoveNext
Loop

This is the magic. It's not as simple as I might have hoped, but it worked. The names have been changed to protect the innocent.
 
XOR != OR said:
Found out a bit more information; this box is unchecked at regular intervals if the user account is part of a "protected group", like domain admins. Which all accounts in the domain were...don't ask.
.
Click to expand...


As scary as that is, I didn't even think about asking. :rolleyes:

Seen too many scary things.

If its just items realted to a particular proprty to which you need to provide access, soemtimes doing the permissioning at the specific property level can avoid some of the system wide protections. Domain admins has a lot of special treatment though, it is really hard to change the default behavior on accounts in that group.
 
I just started this job two months ago, and when I got here EVERY user was a member of the domain admins group. Why? So they could make administrative changes to their local workstation.

No one understood what kind of access domain admins have, and didn't believe me when I told them. It was one of the first things I changed, but it still took an act of god to get things rolling.

EDIT: Adding these tags to aid in future searches
Include inheritable permissions from this object's parents
ADODB.Connection
ADODB.Command
ntSecurityDescriptor
&H1000
 
Last edited:
You must log in or register to reply here.
Back
Top