Inheritable permissions

[Clay Calvert]

Using Dsacls and the following syntax in order to set permissions to allow
our Help Desk to unlock accounts.

dsacls "OU=OUName,DC=domain,DC=com" /I:S /G "Domain\Help
Desk":RPWP;lockoutTime;user

Fortunately, this works for many accounts. Unfortunately, there are many
accounts that have the "allow inheritable permissions from parent to
propagate to this object" checkbox UNchecked so they don't get the benefits
of the parent's change. Sooooo, how can the box be checked via script, or
how can the permissions be assigned, for every object in the OU?

Thanks

 

[Guest]

Hi Clay,
are this accounts protected by AdminSDHolder. See MS KB Q817433 for this. If yes check the inheritance on the AdminSDHolder Object and wait for an hour.

Wolfgang

 

[Clay Calvert]

Wolfgang, they are not protected by AdminSDHolder. They are user accounts
with no special permissions.

Thanks

Hi Clay,
are this accounts protected by AdminSDHolder. See MS KB Q817433 for this.

If yes check the inheritance on the AdminSDHolder Object and wait for an
hour.