Mass Permission Changes in AD

[exx]

Is it at all possible to add permissions to multiple accounts
simultaneously? I need to add 3 deny entries to all accounts in our AD to
hide their home address and phone number from being viewable from, for
example, Outlook. Basically what I've done right now is create a "Personal
Info Deny" group and am planning to use that group for the 3 deny entries.
We currently have nearly 400 users, so it'll be a bit of a painful task.
Inheritance doesn't seem to be an option because all the default permissions
override the inherited deny on that account. Is there a better way to
approach this?

Thanks!
Matt

 

[BigHaig]

Use delegate control from the OU to push this deny down. PLEASE TEST THIS
ON A SAMPLE OU and USERS first.

 

[Joe Richards [MVP]]

Yeah you will need to script this. As you have noticed, inherited permissions
won't override explicit so you will have to put explicit permissions into place.

 

[exx]

Thanks for your response, but I don't see any option via Delegate Control to
deny permissions, just grant. Is there something I'm overlooking?

 

[exx]

Joe, any take on BigHaig's response regarding delegating control? I don't
quite understand how that'd work. As for scripting, do you have any
resources I can reference in order to do this?

Thanks!

 

[Joe Richards [MVP]]

It wouldn't work the way he/she says.