Q. How can I restore inheritance if a user was a member of a protected group (AdminSDHolder)?

If you removed a user from a AdminSDHolder protected group, their inheritance is not restored.

I have scripted Inherit_Perms.bat to enable inheritance ("Allow inheritable permissions from parent to propagate to this object") and to set their adminCount attribute to 0.

The syntax for using Inherit_Perms.bat is:

Inherit_Perms "distinguishedName" OK

Where:

"distinguishedName" is the distinguished name of the user, like "CN=John Doe,CN=Users,DC=JSIINC,DC=COM".

OK                  is a call directed environment variable that will contain
                    a Y if "distinguishedName" was found.
                    a N if "distinguishedName" was NOT found.
Inherit_Perms.bat contains:
@echo off
if \{%2\}==\{\} @echo Syntax: Inherit_Perms distinguishedName OK&goto :EOF
setlocal
if exist "%TEMP%\Inherit_Fix.vbs" goto doit
@echo.Option Explicit>"%TEMP%\Inherit_Fix.vbs"
@echo.Const SE_DACL_PROTECTED = ^&H1000>>"%TEMP%\Inherit_Fix.vbs"
@echo.Dim objADObject, objSD, intSDC, objArguments, user>>"%TEMP%\Inherit_Fix.vbs"
@echo.Set objArguments = Wscript.Arguments>>"%TEMP%\Inherit_Fix.vbs"
@echo.user="LDAP://" ^& objArguments(0)>>"%TEMP%\Inherit_Fix.vbs"
@echo.On Error Resume Next>>"%TEMP%\Inherit_Fix.vbs"
@echo.Set objADObject = GetObject(user)>>"%TEMP%\Inherit_Fix.vbs"
@echo.Wscript.Echo objADObject.distinguishedName>>"%TEMP%\Inherit_Fix.vbs"
@echo.Set objSD = objADObject.Get("ntSecurityDescriptor")>>"%TEMP%\Inherit_Fix.vbs"
@echo.intSDC = objSD.Control>>"%TEMP%\Inherit_Fix.vbs"
@echo.If (intSDC And SE_DACL_PROTECTED) Then>>"%TEMP%\Inherit_Fix.vbs"
@echo.    intSDC = intSDC Xor SE_DACL_PROTECTED>>"%TEMP%\Inherit_Fix.vbs"
@echo.End If>>"%TEMP%\Inherit_Fix.vbs"
@echo.objSD.Control = intSDC>>"%TEMP%\Inherit_Fix.vbs"
@echo.objADObject.Put "ntSecurityDescriptor", objSD>>"%TEMP%\Inherit_Fix.vbs"
@echo.objADObject.Put "adminCount", "0">>"%TEMP%\Inherit_Fix.vbs"
@echo.objADObject.SetInfo>>"%TEMP%\Inherit_Fix.vbs"
:doit
set user=%1
set user="%user:"=%"
set fnd=N
set OK=Y
for /f "Tokens=*" %%a in ('cscript //nologo "%TEMP%\Inherit_Fix.vbs" %user%') do (
 set fnd="%%a"
)
if /i %user% NEQ %fnd% set OK=N
endlocal&set %2=%OK%


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish