No announcement yet.

Script to list users that don't inherit permissions

  • Filter
  • Time
  • Show
Clear All
new posts

  • Script to list users that don't inherit permissions


    I have an issue where there are some user accounts which are not inheriting OU permissions in the domain. This prevents the delegate from performing operations against the user object.
    The main reason they could not perform these operations is that under the user account objects Security Tab > Advanced > the 'Allow permissions from parent to propagate to this object and all child objects. Include these entries explicitly defined here.' is not checked. Therefore the delegation settings for the Help Desk are not being applied to that particular user object.
    I don't want to make any changes at present so I would like to play it safe and only export a list of users which does not have the Inherit permissions check box selected. I can then see how many there are and change if I need to.
    I was hoping that someone would have a script handy to do this? Is this possible?

    Thank you.

  • #2
    Re: Script to list users that don't inherit permissions

    Here's a sample,

    Open a dos box and use a cscript.exe command line to run the script
    (you can use ">" for redirecting the output to a txt-file instead of showing the results on screen)


    Const SE_DACL_PROTECTED = &H1000
    ' dn of OU
    StartSearchingFrom = "OU=Company Users,dc=domain,dc=local"
    Set rootDSE = GetObject("LDAP://RootDSE")
    Set conn = CreateObject("ADODB.Connection")
    conn.Provider = "ADSDSOObject"
    conn.Open "ADs Provider"
    ldapStr = "<LDAP://" & StartSearchingFrom & ">;(&(objectCategory=person)(objectClass=user));adspath;subtree"
    Set rs = conn.Execute(ldapStr)
    on error resume next
    While Not rs.EOF
       Set objUser = GetObject (rs.Fields(0).Value)
       Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
       intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
       strMessage = "Allow inheritable permissions from the parent to " & _
         "propogate to this object and all child objects "
       If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
         WScript.Echo, "Permissions Tab" & vbNewline _
         & strMessage & "is disabled." & vbNewline
       End If

    This posting is provided "AS IS" with no warranties, and confers no rights.


    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts