Saturday, March 21, 2009

Using ADModify to ensure inheritable permissions are set on user objects

Most Exchange migrations I might find 1-2 of these that can be addressed as one off issues, but today I had customer that had a lot more than usual.

I searched for a good adsiedit, ldp, or other query - no good, its an ACL, not an AD user object property, I did find some .NET examples that I did not want to venture down that road.

And then, I found admondify.net:
http://technet.microsoft.com/en-us/library/aa996216(EXCHG.65).aspx

This requires a PSS call (or google) to download. Not an install, just an unzip and use utility.


Click Modify Attributes


Select domain, select a DC, Hit the big green arrow

Then select the root or OU you want and enter a custom LDAP query of (objectClass=*) and select add to list

Then Ctrl-a or control select user objects and hit next.

Then you can go to the account tab (normally would be security->advanced in ADUC) and finally select the "allow inheritable permissions to propagate to this object" checkbox and go.

Quick, easy, and best of all, whatever you do generates an XML log file that you can also use to "undo" your changes!

No comments: