Ran into a situation at a client location where in Active Directory, the security permissions applied to an OU were not getting inherited permissions on to the objects. Basically, security inheritance was broken.This causes a problem when the administrative accounts or groups needing to modify an attribute on the AD object throw errors, or are unable to edit the AD object.
To find out which objects were not getting the inherited permissions run the following :
I ran it on the entire domain to identity potential problem accounts. 🙂
To fix the issue:
Reference:
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectsecurity.areaccessrulesprotected?view=netframework-4.8
https://blogs.msdn.microsoft.com/adpowershell/2009/10/22/viewconfigure-protected-acl-and-fixing-broken-inheritance/
Author
Related Posts
Adding an Application Registration\ Service Principal to another Application Registration\ Service Principal
Typically when working with App Roles in Azure Active Directory for a single application registration or service principal and then self consuming...
Read out all
Get all the domains controllers in the AD forest along with their current FSMO roles
In a large enterprise an admin would need to keep track of all the domains in a AD forest, the domain names,...
Read out all
Force synchronization for DFSR-replicated SYSVOL
One of my clients had a problem with processing GPO on client computers. Different computers applied different settings from the same GPO...
Get Inactive Users Report for the past 60 days in a multi domain environment
I had a request recently to provide an inactive user report for the past 60 days. Basically, find out which accounts have...
Get Primary, Secondary, Tertiary DNS values and more from Multiple Servers
Came across a unique request to get primary, secondary, and tertiary DNS values for multiple computers/servers across the domain. I started writing...
How to Fix: Attribute userAccountControl of DC is: 0x82020
When running a DCDiag at a customer site today I had the following error occur: [su_box title=”” box_color=”#f3f1cb” title_color=”#000000″ radius=”6″]Warning: Attribute userAccountControl...