Need to force security inheritence in active directory on users

active-directory

Solution 1:

You can enable/disable inheritance in dsa if you turn on Advanced Features under View. This will add a Security tab (among others) to object properties. On the Security tab click the Advanced button and check/uncheck Include inheritable permissions from this object's parent.

enter image description here

Alternatively, you can use the command line to enable inheritance. The dsacls command allows you to modify domain ACLs. The following would enable inheritance for my user object:

dsacls "CN=Jason Scott,OU=Staff,OU=ISC,OU=Buildings & Depts,DC=my,DC=domain,DC=edu" /P:Y

Should you require setting inheritance for a large number of user objects, wrap the above in a FOR loop which calls dsquery. A very brute-force example would be something like:

FOR /F "usebackq delims=;" %A IN (`dsquery user -limit 0`) DO dsacls %A /P:Y

If these users are "un-inheriting" themselves automatically, you may be seeing a side effect of AdminSDHolder. If you remove the users from all of the AdminSDHolder protected groups, they should retain their inheritance settings.

Related

How can I run a shell as a user that has no shell access?
How do you unlock the Dream Suite?
How do I use shout power levels?
How to find an unknown Steam User
What does this blue asterisk/star indicate on top of an NPC?
Can I see what difficulty I am playing?
Does StarCraft 2 have cheat codes?
Why can't I paste § into a Minecraft command?
How can I force my companion to focus on healing instead of attacking enemies?
Practical Solution For Giant Spike Balls
Challenge room locked though I have full health
Does a Diablo 3 guest pass let you play with regular players?