Home Powershell Enable AD Inheritance on all users in an OU and all sub OUs

Enable AD Inheritance on all users in an OU and all sub OUs

Posted on February 25, 2015 by Michael Kenning Leave a comment

Sometimes when we are deploying Exchange for our customers, we run into problems where Mobile Device (ActiveSync) users can logon to the OWA site, but can’t retrieve mail. They get a “Cannot get mail” error or similar. This occurs for iOS and Android users. This usually happens to Administrative users (best practice is to have administrator roles and user roles separate, but you can’t tell some people!) because they are not allowed to inherit rights by design!

So I wrote a script to allow inheritance for all users in a given AD OU. You will need to have the affected user(s) connect to ActiveSync soon after running this script, as the Administrative users will have this setting revert every so often.

<# Purpose: To enable inheritance for all AD users in the specified OU and all sub-OUs. 
Author: Michael Kenning (mjkenning@gmail.com) 
Version: 1.1 (release) 
Updated: 21 FEB 2015 
Notes: Change variables as needed 
#>

### VARIABLES ###
$searchOU = "ou=OUNAME,dc=DOMAIN,dc=COM"
### END VARIABLES ###

$users = Get-ADUser -ldapfilter "(objectclass=user)" -searchbase $searchOU
$changed = 0
$same = 0

ForEach($user in $users)
{
    # -- Get the full path to the user object
    $ou = [ADSI]("LDAP://" + $user)
	
	# -- Get the security information for the user object
    $sec = $ou.psbase.objectSecurity
 
	# -- Change the security settings for the user
    if ($sec.get_AreAccessRulesProtected())
    {
        $isProtected = $false 			## allows inheritance
        $preserveInheritance = $true 	## preserve inherited rules
        
		# -- Make the change!
		$sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
        $ou.psbase.commitchanges()
        
		# -- Let the console know that the user was changed
		Write-Host "$user is now inheriting permissions";
		
		# -- Increment the changed user count
		$changed += 1
    }
    else
    {
		# -- Let the console know that the user didn't need to be changed
		Write-Host "$User Inheritable Permission already set"
		
		# -- Increment the unchanged user count
		$same += 1
    }
}

# -- Give a summary of changes
Write-host "The number of changed users is $changed"
Write-host "The number of unchanged users is $same"
Tagged with: , , ,
Posted in Powershell

Leave a comment