Ran into a situation at a client location where in Active Directory, the security permissions applied to an OU were not getting inherited permissions on to the objects. Basically, security inheritance was broken.This causes a problem when the administrative accounts or groups needing to modify an attribute on the AD object throw errors, or are unable to edit the AD object.
To find out which objects were not getting the inherited permissions run the following :
I ran it on the entire domain to identity potential problem accounts. 🙂
|
1 2 |
#Replace the -SearchBase value with the OU that contains the problems user(s) Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor | ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True"} |
To fix the issue:
|
1 2 3 4 5 6 |
#Replace the -SearchBase value with the OU that contains the problems user(s) Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor | Where-Object { $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True" } | ForEach-Object { $_.ntSecurityDescriptor.SetAccessRuleProtection($false, $true) $_ | Set-ADUser -Replace @{ntSecurityDescriptor = $_.ntSecurityDescriptor } } |
Reference:
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectsecurity.areaccessrulesprotected?view=netframework-4.8
https://blogs.msdn.microsoft.com/adpowershell/2009/10/22/viewconfigure-protected-acl-and-fixing-broken-inheritance/
