Active Directory Problem with Inheritence

[cpals]

I'm working on creating a new security group that only our department is a part of so they can unlock/reset/change passwords without having access to change group memberships, etc. So far I have the security group setup and have applied it to our users OU.

Only problem is that at some point in history certain users had their 'inheritence' checkbox unchecked so they are not getting the correct security permissions and so the regular users in our department cannot unlock some of our users.

Is there any way to reset all the inheritence on an OU and it's objects kind of like file security where you can force the resetting of permissions?

Thanks! I've been trying to figure this one out for a while.

Update:

Solution posted below.

 

[bwatson283]

have you tried using the account operators group? I believe that is for pw/lockout/reset

 

[cpals]

Account Operators:
Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.

I just want the techs to be able to only do the password lockout/reset function and not add/remove users from groups, etc.

Thanks though.

 

[bwatson283]

ehh, ok, so im wrong! 🙂

 

[stash]

Running dsacls with the /P:N switch will flip off the inheritance protection for an object. So you should be able to script that.

For example, to re-enable inheritance for the Joe User account in a Business\Users OU under the domain, you would run the following:
dsacls "cn=joe user,ou=users,ou=business,dc=domain,dc=com" /P:N

Note that the /P:N is case sensitive.

 

[SViper]

Originally posted by: cpals

Account Operators:
Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.

I just want the techs to be able to only do the password lockout/reset function and not add/remove users from groups, etc.

Thanks though.

You can use delegate control. If you use the wizard, you can specifically assign resetting passwords without giving them permissions to modify group membership.

Although, to fix the problem of resetting inheritance, you might want to go with stash's suggestion. I can't think of any other way to fix that.

 

[cpals]

I think I found it... with the help of the code that was posted earlier I googled it and found more results.

It first led me to this article:
http://mcpmag.com/columns/article.asp?EditorialsID=1600

...and inside that article it details how to do this, but also points to a Microsoft article which I believe had my problem (some users used to be in protected groups so their inheritence kept resetting and this link has a script that wipes out all admincount's and also resets inheritence):
http://support.microsoft.com/kb/817433

Hope this helps anyone in the future with similar problems.