Sometimes when we are deploying Exchange for our customers, we run into problems where Mobile Device (ActiveSync) users can logon to the OWA site, but can’t retrieve mail. They get a “Cannot get mail” error or similar. This occurs for iOS and Android users. This usually happens to Administrative users (best practice is to have administrator roles and user roles separate, but you can’t tell some people!) because they are not allowed to inherit rights by design!
So I wrote a script to allow inheritance for all users in a given AD OU. You will need to have the affected user(s) connect to ActiveSync soon after running this script, as the Administrative users will have this setting revert every so often.
<# Purpose: To enable inheritance for all AD users in the specified OU and all sub-OUs. Author: Michael Kenning (mjkenning@gmail.com) Version: 1.1 (release) Updated: 21 FEB 2015 Notes: Change variables as needed #> ### VARIABLES ### $searchOU = "ou=OUNAME,dc=DOMAIN,dc=COM" ### END VARIABLES ### $users = Get-ADUser -ldapfilter "(objectclass=user)" -searchbase $searchOU $changed = 0 $same = 0 ForEach($user in $users) { # -- Get the full path to the user object $ou = [ADSI]("LDAP://" + $user) # -- Get the security information for the user object $sec = $ou.psbase.objectSecurity # -- Change the security settings for the user if ($sec.get_AreAccessRulesProtected()) { $isProtected = $false ## allows inheritance $preserveInheritance = $true ## preserve inherited rules # -- Make the change! $sec.SetAccessRuleProtection($isProtected, $preserveInheritance) $ou.psbase.commitchanges() # -- Let the console know that the user was changed Write-Host "$user is now inheriting permissions"; # -- Increment the changed user count $changed += 1 } else { # -- Let the console know that the user didn't need to be changed Write-Host "$User Inheritable Permission already set" # -- Increment the unchanged user count $same += 1 } } # -- Give a summary of changes Write-host "The number of changed users is $changed" Write-host "The number of unchanged users is $same"
Leave a comment