User Security Inheritance in Active Directory

  • Thread starter Thread starter Drew Govnyak
  • Start date Start date
D

Drew Govnyak

Guest
I have over 1000 users in Active Directory on a Windows 2003 in native AD
mode.

Some users were brought in to AD from NT 4.0 with Exchange 5.5 by the means
of the AD connector. If I look at the security tab of the imported users,
and click the Advanced button, the inheritance of the permissions from the
parent is not checked, but any user that was copied or created from scratch
in 2003 AD has the checkbox checked. Is there a utility I can run that would
give me a report on who has the inheritance enabled and who does not.
Ideally I would want to have the inheritance checkbox checked for all of the
users in AD.

Not sure if there is anything in Windows Server support tools?



Thanks
 
Re: User Security Inheritance in Active Directory

I ran

ldifde -f Admincount-1.txt -d dc=mydomain.local -r
"(&(objectcategory=person)(objectclass=user)(InheritanceFlag=1))"
and
ldifde -f Admincount-1.txt -d dc=mydomain.local -r
"(&(objectcategory=person)(objectclass=user)(InheritanceFlag=0))"

but got

No Entries found
The command has completed successfully

Am i missing something?


"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:usgmsu3uIHA.1240@TK2MSFTNGP02.phx.gbl...
> Hi
> Check membership for protected groups:
> http://support.microsoft.com/kb/817433
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
 
Re: User Security Inheritance in Active Directory

On Wed, 21 May 2008 16:14:02 -0400, Drew Govnyak wrote:

> I ran
>
> ldifde -f Admincount-1.txt -d dc=mydomain.local -r
> "(&(objectcategory=person)(objectclass=user)(InheritanceFlag=1))"
> and
> ldifde -f Admincount-1.txt -d dc=mydomain.local -r
> "(&(objectcategory=person)(objectclass=user)(InheritanceFlag=0))"
>
> but got
>
> No Entries found
> The command has completed successfully
>
> Am i missing something?

The dc= entry should be dc=mydomain,dc=local

--
Paul Adare
http://www.identit.ca
One person's error is another person's data.
 
Re: User Security Inheritance in Active Directory

Agree with Paul.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
Re: User Security Inheritance in Active Directory

see:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/16/86.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Drew Govnyak" <no-email-here@none.com> wrote in message
news:%23nOAEp2uIHA.4772@TK2MSFTNGP03.phx.gbl...
>I have over 1000 users in Active Directory on a Windows 2003 in native AD
>mode.
>
> Some users were brought in to AD from NT 4.0 with Exchange 5.5 by the
> means of the AD connector. If I look at the security tab of the imported
> users, and click the Advanced button, the inheritance of the permissions
> from the parent is not checked, but any user that was copied or created
> from scratch in 2003 AD has the checkbox checked. Is there a utility I can
> run that would give me a report on who has the inheritance enabled and who
> does not. Ideally I would want to have the inheritance checkbox checked
> for all of the users in AD.
>
> Not sure if there is anything in Windows Server support tools?
>
>
>
> Thanks
>
>
>
>
 
Back
Top