Hello!

Using Powershell Scripting to Bulk Modify Active Directory Objects
http://msexchangeteam.com/archive/20...19/447301.aspx


I would like to bulk modify the "Allow inheritable permissions from parent
to propagate to this object" check box.
I`ve tried:
[PS] C:\\admodify.ps1 "OU=test,OU=Dev,DC=lab,DC=ad" "(&(objectClass=user))"
Subtree DACL_PROTECTED 4096



Result:
WARNING: System.DirectoryServices.DirectoryServicesCOMException
(0x8007200A): Th
e specified directory service attribute or value does not exist. (Exception
from
HRESULT: 0x8007200A)

Any suggestions how this could be accomplished?

Regards
Jan Egil R.

The short answer is that you cannot accomplish this task in this way. The
"Allow inheritable permissions from parent to propagate to this object"
check box is not an AD attribute and cannot be modified by any variation of
the script you are trying to use.

If you use ADSIEdit to examine an OU you will see that such an attrribute
doesn't exist - which is why you are getting the error message.

The checkbox is set on the security tab of the object - use the Advanced tab
to view

To change the setting with a script you need something like this

## sets the "Allow inheritable permissions from parent to propagate to this
object"check box

$ou = [ADSI]"LDAP://ou=sectest2,ou=sectest,dc=psuguk,dc=org"
$sec = $ou.psbase.objectSecurity

$isProtected = $false ## allows inheritance
$preserveInheritance = $true ## preserver inhreited rules

$sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
$ou.psbase.commitchanges()

You will need to wrap this code with loops through whatever objects you need
to set this for
--
Richard Siddaway
Please note that all scripts are supplied "as is" and with no warranty
Blog: http://richardsiddaway.spaces.live.com/
PowerShell User Group: http://www.get-psuguk.org.uk


"jer" wrote:

> Hello!
>
> Using Powershell Scripting to Bulk Modify Active Directory Objects
> http://msexchangeteam.com/archive/20...19/447301.aspx
>
>
> I would like to bulk modify the "Allow inheritable permissions from parent
> to propagate to this object" check box.
> I`ve tried:
> [PS] C:\\admodify.ps1 "OU=test,OU=Dev,DC=lab,DC=ad" "(&(objectClass=user))"
> Subtree DACL_PROTECTED 4096
>
> Result:
> WARNING: System.DirectoryServices.DirectoryServicesCOMException
> (0x8007200A): Th
> e specified directory service attribute or value does not exist. (Exception
> from
> HRESULT: 0x8007200A)
>
> Any suggestions how this could be accomplished?
>
> Regards
> Jan Egil R.
>

Thanks for your reply, I`ve tested by putting your script in a ps1 file and
edited the LDAP-string.

I cleared the "Allow inheritable permissions from parent to propagate to
this object" check box for a test-user in the test-OU I specified in the
LDAP-string.

The script runs without any errors, but I can`t see the check box being
checked afterwards.

Any idea what could be wrong?



"RichS" <RichS@xxxxxx> skrev i melding
news:944F391B-6516-4D57-B35C-CF45E35AC23B@xxxxxx

> The short answer is that you cannot accomplish this task in this way.
> The
> "Allow inheritable permissions from parent to propagate to this object"
> check box is not an AD attribute and cannot be modified by any variation
> of
> the script you are trying to use.
>
> If you use ADSIEdit to examine an OU you will see that such an attrribute
> doesn't exist - which is why you are getting the error message.
>
> The checkbox is set on the security tab of the object - use the Advanced
> tab
> to view
>
> To change the setting with a script you need something like this
>
> ## sets the "Allow inheritable permissions from parent to propagate to
> this
> object"check box
>
> $ou = [ADSI]"LDAP://ou=sectest2,ou=sectest,dc=psuguk,dc=org"
> $sec = $ou.psbase.objectSecurity
>
> $isProtected = $false ## allows inheritance
> $preserveInheritance = $true ## preserver inhreited rules
>
> $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
> $ou.psbase.commitchanges()
>
> You will need to wrap this code with loops through whatever objects you
> need
> to set this for
> --
> Richard Siddaway
> Please note that all scripts are supplied "as is" and with no warranty
> Blog: http://richardsiddaway.spaces.live.com/
> PowerShell User Group: http://www.get-psuguk.org.uk
>
>
> "jer" wrote:
>

>> Hello!
>>
>> Using Powershell Scripting to Bulk Modify Active Directory Objects
>> http://msexchangeteam.com/archive/20...19/447301.aspx
>>
>>
>> I would like to bulk modify the "Allow inheritable permissions from
>> parent
>> to propagate to this object" check box.
>> I`ve tried:
>> [PS] C:\\admodify.ps1 "OU=test,OU=Dev,DC=lab,DC=ad"
>> "(&(objectClass=user))"
>> Subtree DACL_PROTECTED 4096
>>
>> Result:
>> WARNING: System.DirectoryServices.DirectoryServicesCOMException
>> (0x8007200A): Th
>> e specified directory service attribute or value does not exist.
>> (Exception
>> from
>> HRESULT: 0x8007200A)
>>
>> Any suggestions how this could be accomplished?
>>
>> Regards
>> Jan Egil R.
>>