I recently took over the administration of user accounts for a large branch of our Active Directory (AD) organizational unit (OU) hierarchy. The existing permissions, however, are inconsistent from OU to OU and much too open in some areas. How can I start over and make all the permissions the same from the top level down?
Open the appropriate parent folder's Properties dialog box in Windows Explorer. Go to the Permissions tab, then click Advanced. Modify the permissions as you want them to be from this level down. Next, select the Reset permissions on all child objects and enable propagation of inheritable permissions check box and the Allow inheritable permissions from parent to propagate to this object check box. Click OK.
Windows 2000 will display the warning This will remove explicitly defined permissions on all child objects and enable propagation of inheritable permissions to those child objects. Only inheritable permissions propagated from dept will take effect. Do you wish to continue? Click OK. The entire branch of your OU hierarchy now has the same permissions.
Note that Reset permissions on all child objects and enable propagation of inheritable permissions isn't a persistent option: The next time you edit the permissions for this object, Win2K will automatically clear the check box. Therefore, after you reset permissions on the parent folder, you can create explicit permissions on child objects to implement exceptions to your standard set of permissions.
