IT Infrastructure

Q. How can I restore inheritance if a user was a member of a protected group (AdminSDHolder)?

October 30, 2006

1 Min Read

If you removed a user from a AdminSDHolder protected group, their inheritance is not restored.

I have scripted Inherit_Perms.bat to enable inheritance ("Allow inheritable permissions from parent to propagate to this object") and to set their adminCount attribute to 0.

The syntax for using Inherit_Perms.bat is:

Inherit_Perms "distinguishedName" OK

Where:

"distinguishedName" is the distinguished name of the user, like "CN=John Doe,CN=Users,DC=JSIINC,DC=COM".OK                  is a call directed environment variable that will contain                    a Y if "distinguishedName" was found.                    a N if "distinguishedName" was NOT found.

Inherit_Perms.bat contains:

@echo offif {%2}=={} @echo Syntax: Inherit_Perms distinguishedName OK&goto :EOFsetlocalif exist "%TEMP%Inherit_Fix.vbs" goto [email protected] Explicit>"%TEMP%Inherit_Fix.vbs"@echo.Const SE_DACL_PROTECTED = ^&H1000>>"%TEMP%Inherit_Fix.vbs"@echo.Dim objADObject, objSD, intSDC, objArguments, user>>"%TEMP%Inherit_Fix.vbs"@echo.Set objArguments = Wscript.Arguments>>"%TEMP%Inherit_Fix.vbs"@echo.user="LDAP://" ^& objArguments(0)>>"%TEMP%Inherit_Fix.vbs"@echo.On Error Resume Next>>"%TEMP%Inherit_Fix.vbs"@echo.Set objADObject = GetObject(user)>>"%TEMP%Inherit_Fix.vbs"@echo.Wscript.Echo objADObject.distinguishedName>>"%TEMP%Inherit_Fix.vbs"@echo.Set objSD = objADObject.Get("ntSecurityDescriptor")>>"%TEMP%Inherit_Fix.vbs"@echo.intSDC = objSD.Control>>"%TEMP%Inherit_Fix.vbs"@echo.If (intSDC And SE_DACL_PROTECTED) Then>>"%TEMP%Inherit_Fix.vbs"@echo.    intSDC = intSDC Xor SE_DACL_PROTECTED>>"%TEMP%Inherit_Fix.vbs"@echo.End If>>"%TEMP%Inherit_Fix.vbs"@echo.objSD.Control = intSDC>>"%TEMP%Inherit_Fix.vbs"@echo.objADObject.Put "ntSecurityDescriptor", objSD>>"%TEMP%Inherit_Fix.vbs"@echo.objADObject.Put "adminCount", "0">>"%TEMP%Inherit_Fix.vbs"@echo.objADObject.SetInfo>>"%TEMP%Inherit_Fix.vbs":doitset user=%1set user="%user:"=%"set fnd=Nset OK=Yfor /f "Tokens=*" %%a in ('cscript //nologo "%TEMP%Inherit_Fix.vbs" %user%') do ( set fnd="%%a")if /i %user% NEQ %fnd% set OK=Nendlocal&set %2=%OK%

About the Author

Jerold Schulman

See more from Jerold Schulman

Related Topics

Recent in Cloud

Related Topics

Recent in OS

Related Topics

Recent in IT Mgmt

Related Topics

Recent in Career

Related Topics

Recent in Storage

Related Topics

Recent in Security

Related Topics

Recent in Dev

Related Topics

Recent in DX

Related Topics

Recent in Infrastructure

Related Topics

Q. How can I restore inheritance if a user was a member of a protected group (AdminSDHolder)?

About the Author

Editor's Choice

Featured Technical Explainers

Recent What Is

Related Topics

Recent in Cloud

Related Topics

Recent in OS

Related Topics

Recent in IT Mgmt

Related Topics

Recent in Career

Related Topics

Recent in Storage

Related Topics

Recent in Security

Related Topics

Recent in Dev

Related Topics

Recent in DX

Related Topics

Recent in Infrastructure

Related Topics

<span class="ArticleBase-LargeTitle">Q. How can I restore inheritance if a user was a member of a protected group (AdminSDHolder)?</span>Q. How can I restore inheritance if a user was a member of a protected group (AdminSDHolder)?

About the Author

Editor's Choice

Featured Technical Explainers

Recent What Is

Q. How can I restore inheritance if a user was a member of a protected group (AdminSDHolder)?