Active Directory - List and Set/Fix AD users not inheriting permissions

2011/02/16 | less than 1 minute read |

updated: 2013/03/29

Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.

If the Allow and Deny permission check boxes in the various parts of the access control user interface are shaded when you view the permissions of an object, the object has inherited permissions from a parent object. You can set these inherited permissions by using the Permissions tab of the Advanced Security Settings properties page.

Check Technet for more information

Here is the PowerShell way to check which users does not have Inheriting Permission and How to Enabling it for all your users. You will need to user Quest Active Directory Snapin

List Users without Inheriting Permission

# This Command will list the user not inheriting Permission
Get-QADUser -SizeLimit 0 | `
Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected}


Enabling Inheriting Permission for all Users
# This Command will enable inheriting Permission for all the accounts
Get-QADUser -SizeLimit 0 | `
Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected} | `
Set-QADObjectSecurity -UnLockInheritance


Leave a comment