Announcement

**cmccullough** · 01-12-2009, 08:25 AM

Re: How do I check if inheritance is turned off on multiple users?

I'm not sure is this is what you are looking for or not. Select a few users in the right-hand window, then right-click and choose Account Functions->List Directory Security. The results are the directory security set on those selected user objects, meaning what users/groups have what level of permission for those user objects.

Inherited permissions show a grayed out icon in the left column. So, any users that don't have any grayed out icons I would assume have the inherit checkbox unchecked.

**Guest** · 01-12-2009, 11:12 AM

Re: How do I check if inheritance is turned off on multiple users?

You have given me a great hint.

Can I query for active directory security entries for this information:

Show me all of the Objects that don't have an entry for domain\groupX under the Member field?

If not, I suspect that I may end up exporting a seriously massive report into Excel, and trying to copy/paste this information, but, at the least, you have shown me how I can get an exportable version of this information.

**cmccullough** · 01-12-2009, 11:30 AM

Re: How do I check if inheritance is turned off on multiple users?

I don't see a way to do that one. You can filter for data in the right-hand window, but in the case of identifying users that don't have an entry, I can't see a way for that one.

**Guest** · 01-12-2009, 11:32 AM

Re: How do I check if inheritance is turned off on multiple users?

Thanks. If I ever find out what the attribute is called that indicates whether inheritance is on or off, I'll be sure to let you know.

Thanks for your help. You've gotten me a lot further along than I would be, otherwise.

**Guest** · 01-12-2009, 11:57 AM

Re: How do I check if inheritance is turned off on multiple users?

I found these notes. It appears the toggle is called "SE_DACL_PROTECTED" and when it is set to 0, that means inheritance is turned on.

This page lists vbscript for setting the parameter.
http://redmondmag.com/columns/print....torialsID=1600

I hope this helps!

**kstanush** · 01-12-2009, 02:25 PM

Re: How do I check if inheritance is turned off on multiple users?

After looking at this script, I see that it is looking at the security descriptor, which Hyena can show in MIcrosoft's text format for any AD object. You can see it by right clicking, selecting Query Active Directory->View All Directory ATtributes. The format used by Microsoft is documented here:
http://msdn.microsoft.com/en-us/library/aa379570.aspx

I looked at the information returned by Windows and to be honest its hard to translate, but I think if you look for the D:, then for the first code and look for the 'P', ie D:P indicates what you are looking for.

If you find what you want, then you can easily create or modify one of Hyena's user queries to add the ntsecuritydescriptor attribute.

**Guest** · 01-13-2009, 04:56 AM

Re: How do I check if inheritance is turned off on multiple users?

Thanks for the excellent follow-up. Showing the Microsoft documentation made everything come full circle for me. [se_dacl_protected] was meaningless otherwise, to tell the truth.

Thanks!

Announcement

How do I check if inheritance is turned off on multiple users?

How do I check if inheritance is turned off on multiple users?

Comment

Comment

Comment

Comment

Comment

Comment

Comment