Users allow inheritable permissions check box
I am on a Windows 2003 native domain. After moving to Exchange 2007, there are few users who are having some issues accessing Outlook Web Access, they will get some error on the page indicating a security issue within AD. After checking these users accounts, they have the 'Allow inheritable permissions' check box unchecked. It is found from properties of the user > security tab > advanced > a check box for same. After once enabling the inheritance fixes the issue but there isnt any pattern as to which users have this unchecked. So, only 10 out of 10000 have been reported and I like to resolve the issue for all user accounts. At the moment, I want to identify all user accounts which have the inheritance check box unticked, how can we achieve this without opening each user account manually? Thanks.
Re: Users allow inheritable permissions check box
I assume that it can be done by using a vbscript. You can check the example below and try the script in a test environment and fix any errors that is appearing during copy and paste:
Code:
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Const SE_DACL_PROTECTED = 0
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Size Limit")= 10000
objCommand.Properties("Page Size") = 10000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"<LDAP://ou=accounts,dc=itboard,dc=local>;"_
& "(objectCategory=user);sAMAccountName,distinguishedname;subtree"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
userDN = objRecordSet.Fields("distinguishedName").Value
set objObject = getobject("LDAP://" & userDN & "")
Set objntSD = objObject.Get("nTSecurityDescriptor")
intNTSDControl = objNtSD.Control
If intNTSDControl <> 35844 Then
‘ Enable "allow inheritable permissions".
intNTSDControl = intNTSDControl And SE_DACL_PROTECTED
objntSD.Control = intNTSDControl
objObject.Put "nTSecurityDescriptor", objntSD
objObject.SetInfo
WScript.Echo "Obiectul " & userDN & " a fost modificat"
End If
objRecordSet.MoveNext
Loop
