Skip to content

Instantly share code, notes, and snippets.

@notesbytom
Last active September 10, 2018 19:02
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save notesbytom/ee8b49b37908aa360aafd91b6f2c9987 to your computer and use it in GitHub Desktop.
Fix AdminSDHolder SDProp Protected Users in Active Directory
$ErrorActionPreference = "Stop"
# Put usernames one-per-line in a text (CSV) file with header first-line: Username
# Set this to the path of your input csv file.
$CSVFilePath = "TroubleUsers.csv"
# This script will Clear the adminCount property and Enable Inheritance on the object Access Control List (ACL) in AD
$users = import-csv $CSVFilePath | sort Username
$groups = @()
foreach ($user in $users) {
$aduser = get-aduser $user.Username -properties ntSecurityDescriptor,adminCount
$aduser | select Name,SamAccountName,adminCount,
@{Name="AreAccessRulesProtected";Expression={$_.ntSecurityDescriptor.AreAccessRulesProtected}}
$adgroups = Get-ADPrincipalGroupMembership $aduser
foreach ($group in $adgroups) {
$groupname = $group.SamAccountName
if ($groups -notcontains $groupname) {
$groups += $groupname # add groupname to list
}
}
if ($aduser.ntSecurityDescriptor.AreAccessRulesProtected -or
($aduser.adminCount -ne $null -and $aduser.adminCount -gt 0)) {
# update security descriptor prior to Set command (ENABLE INHERITANCE)
# ... SetAccessRuleProtection(bool isProtected, bool preserveInheritance)
$aduser.ntSecurityDescriptor.SetAccessRuleProtection($false, $true)
Set-ADUser -Identity $aduser -Replace @{ntSecurityDescriptor = $aduser.ntSecurityDescriptor} `
-Clear "adminCount" -verbose
}
}
"Look for Protected Groups - these will cause hourly SDProp to re-apply object protection (AdminSDHolder)"
$groups | sort
# Inspired by the following articles:
# https://blogs.msdn.microsoft.com/muaddib/2013/12/30/how-to-modify-security-inheritance-on-active-directory-objects-using-powershell/
# https://social.technet.microsoft.com/Forums/office/en-US/ed7e5c9f-b455-4878-8970-16e362717245/ad-user-update-inheritable-persmission
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment