Click here to get back home

User Security Inheritance in Active Directory

 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
User Security Inheritance in Active Directory Drew Govnyak 05-21-2008
Posted by Drew Govnyak on May 21, 2008, 1:44 pm
Please log in for more thread options
 I have over 1000 users in Active Directory on a Windows 2003 in native AD
mode.

Some users were brought in to AD from NT 4.0 with Exchange 5.5 by the means
of the AD connector. If I look at the security tab of the imported users,
and click the Advanced button, the inheritance of the permissions from the
parent is not checked, but any user that was copied or created from scratch
in 2003 AD has the checkbox checked. Is there a utility I can run that would
give me a report on who has the inheritance enabled and who does not.
Ideally I would want to have the inheritance checkbox checked for all of the
users in AD.

Not sure if there is anything in Windows Server support tools?



Thanks





Posted by Jorge Silva on May 21, 2008, 3:48 pm
Please log in for more thread options
 Hi
Check membership for protected groups:
http://support.microsoft.com/kb/817433

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Posted by Drew Govnyak on May 21, 2008, 4:14 pm
Please log in for more thread options
I ran

ldifde -f Admincount-1.txt -d dc=mydomain.local -r
"(&(objectcategory=person)(objectclass=user)(InheritanceFlag=1))"
and
ldifde -f Admincount-1.txt -d dc=mydomain.local -r
"(&(objectcategory=person)(objectclass=user)(InheritanceFlag=0))"

but got

No Entries found
The command has completed successfully

Am i missing something?


> Hi
> Check membership for protected groups:
> http://support.microsoft.com/kb/817433
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services



Posted by Paul Adare on May 21, 2008, 4:24 pm
Please log in for more thread options
On Wed, 21 May 2008 16:14:02 -0400, Drew Govnyak wrote:

> I ran
>
> ldifde -f Admincount-1.txt -d dc=mydomain.local -r
> "(&(objectcategory=person)(objectclass=user)(InheritanceFlag=1))"
> and
> ldifde -f Admincount-1.txt -d dc=mydomain.local -r
> "(&(objectcategory=person)(objectclass=user)(InheritanceFlag=0))"
>
> but got
>
> No Entries found
> The command has completed successfully
>
> Am i missing something?

The dc= entry should be dc=mydomain,dc=local

--
Paul Adare
http://www.identit.ca
One person's error is another person's data.

Posted by Jorge Silva on May 21, 2008, 4:53 pm
Please log in for more thread options
Agree with Paul.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Similar ThreadsPosted
sysadmin user in windows Active directory users and computers July 27, 2005, 12:31 pm
W2003 PKI: Publish certificates onto user objects in active directory December 14, 2005, 1:04 pm
auditing active directory not working properly directory serviceaccess October 21, 2005, 7:47 pm
Linking PKI directory accounts with Active Directory? February 11, 2007, 5:29 am
Active Directory December 28, 2005, 7:00 am
eap-tls without active directory November 23, 2006, 10:52 am
Active Directory May 1, 2008, 11:11 am
Active Directory Server August 12, 2005, 3:49 pm
Active Directory Questions. November 24, 2006, 12:09 am
Published Certificates in Active Directory February 9, 2006, 6:53 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap