Results 1 to 2 of 2

Thread: Users allow inheritable permissions check box

  1. 28-03-2010 #1
    vshori
    vshori is offline Member
    Join Date
    Sep 2005
    Posts
    123

    Users allow inheritable permissions check box

    I am on a Windows 2003 native domain. After moving to Exchange 2007, there are few users who are having some issues accessing Outlook Web Access, they will get some error on the page indicating a security issue within AD. After checking these users accounts, they have the 'Allow inheritable permissions' check box unchecked. It is found from properties of the user > security tab > advanced > a check box for same. After once enabling the inheritance fixes the issue but there isnt any pattern as to which users have this unchecked. So, only 10 out of 10000 have been reported and I like to resolve the issue for all user accounts. At the moment, I want to identify all user accounts which have the inheritance check box unticked, how can we achieve this without opening each user account manually? Thanks.
    Reply With Quote Reply With Quote
  2. 29-03-2010 #2
    Gusgr8
    Gusgr8 is offline Member
    Join Date
    Jun 2006
    Posts
    623

    Re: Users allow inheritable permissions check box

    I assume that it can be done by using a vbscript. You can check the example below and try the script in a test environment and fix any errors that is appearing during copy and paste:

    Code:
    On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2
Const SE_DACL_PROTECTED = 0

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Size Limit")= 10000

objCommand.Properties("Page Size") = 10000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = _
"<LDAP://ou=accounts,dc=itboard,dc=local>;"_
& "(objectCategory=user);sAMAccountName,distinguishedname;subtree"

Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF

userDN = objRecordSet.Fields("distinguishedName").Value
set objObject = getobject("LDAP://" & userDN & "")
Set objntSD = objObject.Get("nTSecurityDescriptor")

intNTSDControl = objNtSD.Control

If intNTSDControl <> 35844 Then
    ‘ Enable "allow inheritable permissions".
    intNTSDControl = intNTSDControl And SE_DACL_PROTECTED
    objntSD.Control = intNTSDControl
    objObject.Put "nTSecurityDescriptor", objntSD
    objObject.SetInfo
    WScript.Echo "Obiectul " & userDN & " a fost modificat"
End If

objRecordSet.MoveNext
Loop
    Reply With Quote Reply With Quote
« Change password of local Administrator on all workstations in doma | there are currently no logon servers available »

Similar Threads

  1. How to check users lockout
    By seanelly27 in forum Active Directory
    Replies: 2
    Last Post: 24-04-2012, 06:13 AM
  2. How to Export users from the Domain Users group into another Sec G
    By manishdk in forum Active Directory
    Replies: 6
    Last Post: 30-11-2011, 11:54 PM
  3. How can you make a private data member inheritable in C++
    By GOOL in forum Software Development
    Replies: 4
    Last Post: 16-06-2011, 10:01 PM
  4. Linux : Users and permissions
    By Inigo in forum Operating Systems
    Replies: 3
    Last Post: 29-12-2010, 05:05 AM
  5. ISA 2004: How to check web history of users
    By Atiffita in forum Networking & Security
    Replies: 4
    Last Post: 12-05-2010, 11:11 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

Page generated in 1,714,297,622.07792 seconds with 18 queries