Set et "inherit from parent the permission" on multiple user objects at same time

microsoft.public.windows.server.active_directory

9 Feb 2006 9:37 PM

musicman

All,
I need to set the "inherit from parent the permission entries that
apply to child objects" on multiple user objects in a container.
Is there a way to do this on many users at the same time?
Thanks,
Ryan

10 Feb 2006 4:09 AM

Neil Denison

If you have the Windows 2003 support tools loaded, take a look at the
Directory Services ACL Editor - ddcaslc.exe. I haven't had to use it before,
but It might help you.

Show quoteHide quote

"musicman" wrote:

> All,
> I need to set the "inherit from parent the permission entries that
> apply to child objects" on multiple user objects in a container.
> Is there a way to do this on many users at the same time?
> Thanks,
> Ryan
>
>

10 Feb 2006 6:30 PM

musicman

Thought I'd post the resolution for this since it took forever to
figure out - as I am not a great scripter.

credit for the dsacls syntax goes to this post:
http://groups.google.com/group/microsoft.public.win2000.security/browse_frm/thread/4485344845d13d59/457c8e103f4c4b79?lnk=st&q=AdminSDHolder+2003&rnum=22#457c8e103f4c4b79

To set the "inherit permission..." flag on multiple user objects, do
the following. If the users are still in a protected group, you will
need to remove them or adminsdholder will overwrite your changes in an
hour.

(I make no promises as to the effect that this will have on your
environment, but it worked in mine.)

1. Run a dsquery against the container that the objects reside in and
pipe the results to a batch file called usernames.txt
c:\dsquery users "ou=usercontainer,dc=mydomain,dc=com" >>
c:\usernames.txt

2.Create a batch file with the following text - I like to see te
output.
@echo on
for /f "tokens=1 delims=" %%x IN (usernames.txt) do dsacls %%x /P:N /R
Guest
for /f "tokens=1 delims=" %%x IN (usernames.txt) do dsacls %%x /S
Exit

Hope this helps someone,
Ryan