Exchange 2007 – inheritance broken on user accounts

Posted on Posted in Uncategorized

I noticed a number of 2007 sites, both migrated and freshly installed have an interesting issue of random user accounts having their inheritance switched off. I spoke to Dmitry at on how I could find these guys using PowerShell with the AD provider from Quest, and he came back with this:

Get-QADUser -DontUseDefaultIncludedProperties | where-object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected –eq $true}

Still working on how to fix them reliably using PowerShell, I’ll post back once I have something.


UPDATE ON THIS POST: Since posting this, the Quest AD PowerShell provider has changed versions and finding and fixing these is now REALLY easy!

Here’s a quote from Dmitries blog entry:

Seeing whether an AD object has permissions inheritance blocked is as easy as checking the object’s .PermissionInheritanceLocked property.

So for example, to get a list of all users in the domain who has inheritance off you just need to run:

Get-QADUser -SizeLimit 0 | where {$_.Security.PermissionInheritanceLocked}

I am using -SizeLimit 0 so I retrieve all users and not just the default 1000.

Fixing inheritance is even easier with the new Set-QADObjectSecurity cmdlet introduced in AD cmdlets 1.1.

So if you want to fix inheritance for all AD users (caution: you might want to just get the list of the accounts first using the command above to make sure you do not “fix” legitimate exceptions) you just need to pipe the collection into Set-QADObjectSecurity -UnlockInheritance:

Get-QADUser -SizeLimit 0 | where {$_.Security.PermissionInheritanceLocked} | Set-QADObjectSecurity -UnlockInheritance