Extremely useful article when you need to boot domain controller into Directory Services Restore Mode Remotely:
http://technet.microsoft.com/en-us/library/cc779687(WS.10).aspx
Monday, October 4, 2010
Assign permissions to the tree of OUs when inheritance turned off (through Powershell)
Recently I needed to add permission to move computer objects to OUs for the group of users. I added the permissions to the “root” OU and tested it: everything worked great.
After I reported that task is done, I heard from the users in that group that they still get ‘Access is denied’ trying to move computer objects. I discovered that in AD permissions inheritance was disabled for most of the sub-OUs. So, there are more than 1,000 OUs to add permissions to.
Following script took care of the task for me:
#Require Quest "Active Roles Management Shell for Active Directory".
#Put following to the text document saved as *.ps1:
add-PSSnapin quest.activeroles.admanagement
$OU = “root OU DN”
get-qadobject -searchRoot $OU -searchScope 'SubTree'-Type organizationalUnit -SizeLimit 0 |
Add-QADPermission -Account “domainname\user group to add permissions” -Rights CreateChild -ApplyTo All -ChildType
Computer
After I reported that task is done, I heard from the users in that group that they still get ‘Access is denied’ trying to move computer objects. I discovered that in AD permissions inheritance was disabled for most of the sub-OUs. So, there are more than 1,000 OUs to add permissions to.
Following script took care of the task for me:
#Require Quest "Active Roles Management Shell for Active Directory".
#Put following to the text document saved as *.ps1:
add-PSSnapin quest.activeroles.admanagement
$OU = “root OU DN”
get-qadobject -searchRoot $OU -searchScope 'SubTree'-Type organizationalUnit -SizeLimit 0 |
Add-QADPermission -Account “domainname\user group to add permissions” -Rights CreateChild -ApplyTo All -ChildType
Computer
Subscribe to:
Posts (Atom)