How to find out if Inheritable Permissions is checked

[2ndadadmin]

I am one of several AD admins and I want to run a query to find out how
many AD objects have this box unchecked. I'm trying to tighten security
on a per-OU level but delegation from the top level isn't working
properly because several user/computer/group objects are not inheriting
the changes that I'm making. Any help/tips would be appreciated.

 

[ptwilliams]

Best thing would be to post this in the scripting newsgroups, as that flag
is buried in the ACL.

 

[2ndadadmin]

Paul,

Thanks for pointing me in the right direction. After searching the
scripting newsgroups for just 5 minutes, I already found several
scripting samples.

 

[Winsysbee]

Hi,

You have first to retrieve the securitydescriptor and then check the flag:
SE_DACL_PROTECTED = 4096 for the DACL entry
SE_SACL_PROTECTED = 8192 for the SACL entry

Example
If (iSD.Control And SE_DACL_PROTECTED) = SE_DACL_PROTECTED Then
IsInheritedACE = False
End if

If the flags are not checked it means that the security is inherited.

WinSysBee Support Team
http://www.winsysbee.com


nntp://news.free.fr/microsoft.public.win2000.active_directory/ >

Paul,

Thanks for pointing me in the right direction. After searching the
scripting newsgroups for just 5 minutes, I already found several
scripting samples.



[microsoft.public.win2000.active_directory > ]

 

[ptwilliams]

No problem!

Glad to have helped.

 

[ptwilliams]

That's a good, helpful post!

Thanks to you!