JSI Tip 6375. How can I manually force evaluation of inherited permissions for Active Directory objects?

To support nested groups and universal groups, inheritance on Active Directory objects is handled by a background process called the SD propagator (SDPROP). This process runs only on the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role holder.

If you suspect a problem with inherited permissions, a very rare event, you can force the SD propagator to re-evaluate:

01. Start / Run / ldp.exe / OK.

02. Press Connection.

03. Press Connect.

04. Type the computer name of the PDC emulator.

05. Press OK to connect over port 389.

06. Press Connection.

07. Press Bind.

08. Type an appropriate domain administrator or enterprise administrator name, password, and domain, like Jerry, xxxx, and jsiinc.com.

09. Use the Browse menu to press Modify, which opens the Modify dialog box.

10. Leave Dn blank. Type FixUpInheritance in the Attribute box. Type Yes in the Values box. Press Add under Operation and press Enter to fill the Entry List box with [Add]fixupinheritance:yes.

11. Press Run. The SD propagator starts with Modified on the right-hand pane.

12. Press Close.

13. Press Connection.

14. Press Exit.

NOTE: The run time in linear with the size of the Active Directory database. When the DS Security Propagation Events counter in the NTDS Performance object returns to 0, the process is finished.