I needed to find the computer objects in an AD OU that had inheritance disabled. Did the following:
1 2 3 |
Get-ADComputer -SearchBase "OU=something,DC=myDomain,DC=com" -Filter * | ?{ $Computer=$_.DistinguishedName; (Get-Acl "AD:\$Computer").AreAccessRulesProtected -eq $True } | ft Name |
And to extend this to enable inheritance on the affected objects:
1 2 3 4 5 6 7 8 |
Get-ADComputer -SearchBase "OU=something,DC=myDomain,DC=com" -Filter * | %{ $Computer=$_.DistinguishedName; $ACL=(Get-Acl "AD:\$Computer"); if ($ACL.AreAccessRulesProtected -eq $True) { $ACL.SetAccessRuleProtection($False,$True) Set-ACL "AD:\$Computer" -AclObject $ACL } } |
Update (16th June 2022):
Reader Aleksey Avdeev sent the following one-liner:
1 |
Get-ADComputer -SearchBase (Get-ADDomain).DistinguishedName -Filter * -Properties nTSecurityDescriptor | ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected } | ft SamAccountName,Name |
Nice one! Way better than the one I came up with. I didn’t realize you could just pull the ntSecurityDescriptor
property and query that. I also like how he gets the DN of the domain from Get-ADDOmain
.
Also, as an FYI the same cmdlet can be run for users too via Get-ADUser
instead of Get-ADComputer
.