I had already used the Delegation of Control wizard to assign an front line engineers group permissions on the users OU, so this was very strange. After investigating further i found that he didn't have permissions to on some users.
I found that for some reason some objects in the OU had lost the Include Inheritable Permissions from this objects parent checkbox was not checked. So me delegating control to the OU was having no effect because the object was not inheriting.
If this was on just one account it would be an easy fix, simply check the box and it will inherit permissions. However i identified the issue on older user accounts only. There were hundreds of them and this could potentially take hours to resolve. After some research i found that Windows Server has a built in tool called DSACL, which is installed when ADDS is installed.
Resolution
1. Load an Administative Command Prompt.
2. To reset the ACL on an OU and all subobjects type the following.
Dsacls "OU=USERS,DC=domain,DC=com" /S /T
The /S is used to tell DSACL to reset the permissions on objects to the default for that object class (in this case a user) and the /T is used to tell it to perform it on all objects in the tree.
For full details on how to use DSACL see MS KB http://support.microsoft.com/kb/281146
No comments:
Post a Comment