Thursday, March 18, 2010

Fixing scattered non-permission inherting objects

Occasionally in our environment we come across problems with user management access due to inherited permissions not being enabled. This appears to be related to accounts that were once members of protected groups like server operators, backup operators, account operators, etc and the AdminSDHolder process unchecking inheritance. Over time as the users changed roles and were removed from these groups, inheritance was not manually enabled. There are scripts available that show how to edit this ACL attribute with vbscript for a single object, but I'm a Powershell guy and I want to hit a few thousand accounts at once. For the sake of simplicity, let us assume all of the accounts are in the same OU location: OU=admins,dc=mydomain,dc=com. Also note that OU=admins has inheritance disabled for security reasons and cannot be changed. If it could we could fix all objects in the OU with a single command.

If we are unconcerned with checking to see which accounts are set to not inherit, but we don't want to temporarily expose any current AdminSDHolder accounts to a short term reduction in security, we can do this:

$de = new-object DirectoryServices.DirectoryEntry("LDAP://ou=admins,dc=mydomain,dc=com")
$ds = new-object DirectoryServices.DirectorySearcher($de)
$ds.filter = "(&(objectclass=user)(!(admincount=1)))"
$ds.propertiestoload.add("distinguishedname")
$users = $ds.findall()

Now our variable (array) $users contains a list of LDAP results that can be used to provide distinguished names to the DSACLS command.

Loop through the results and enable permissions inheritance for all objects.

foreach ($user in $users) {
$dn = $user.properties.distinguishedname
dsacls $dn /P:n > $null
}

This will loop through all users found in the query and enable inheritance. If the top level OU did not need to be protected you could accomplish the same type of result with dsacls /T option to run the change on a whole tree of objects from the OU level down. The Powershell way allows more granular control and is helpful if you have several OU levels under the Admins OU that you don't want impacted. The DirectorySearcher class allows you to specify the search scope to limit the results.

In AD Powershell, the get-acl/set-acl options can provide similar capabilities, example here.

No comments:

Post a Comment