Need to force security inheritence in active directory on users
Solution 1:
You can enable/disable inheritance in dsa
if you turn on Advanced Features under View. This will add a Security tab (among others) to object properties. On the Security tab click the Advanced button and check/uncheck Include inheritable permissions from this object's parent.
Alternatively, you can use the command line to enable inheritance. The dsacls
command allows you to modify domain ACLs. The following would enable inheritance for my user object:
dsacls "CN=Jason Scott,OU=Staff,OU=ISC,OU=Buildings & Depts,DC=my,DC=domain,DC=edu" /P:Y
Should you require setting inheritance for a large number of user objects, wrap the above in a FOR
loop which calls dsquery
. A very brute-force example would be something like:
FOR /F "usebackq delims=;" %A IN (`dsquery user -limit 0`) DO dsacls %A /P:Y
If these users are "un-inheriting" themselves automatically, you may be seeing a side effect of AdminSDHolder. If you remove the users from all of the AdminSDHolder protected groups, they should retain their inheritance settings.