Share via

Active Directory : Restore Default Permissions on Organizational Units (OU)

  • Article

Sometime, we have problem with permissions on Actice Directory Organizational Units (OU). For example, our support user or other admin delete some permissions!
Now, we have problem and we must restore default permissions on OU.

Here is a real example on my TestLAB. I have a OU called MCA, right click on MCA OU, select Properties, select Security, then click Advanced. You can view ACEs.

And here is OU Owner (Domain Admins).

Now, I clear the Include inheritable permissions from this object's parent check box, then I delete other ACEs.

Then, I change Owner from Domain Admis group to user Administrator.

Now, I select Object tab, and clear Protect object from accidental deletion check box.

Then, I give delegation permissions to 3x users. User Ed Price has some delegation permission for user object. User Richar Mueller has some delegation permission for computer object. User Patris has delegation permission for moving computers.

The question is, how can easily restore default permissions on OU?
Here is soloution. I create a new OU, called DefaultOUPermissions.
Right click on domain name, select New, then click Organizational Units.

Write OU name, then click OK.

I check ACEs and default Owner.

Now, we use MAGIC Tool, called PowerShell. Open AD-PowerShell with Run as Administrator.
We use Get-Acl and Set-Acl commands, but first we need change drive to AD drive or location. Run following command first:

Set-Location AD:

Then, we must take a sample for default permissions, such as ACEs, Owner and etc. Run following command (my sample OU name is DefaultOUPermissions and domain name is Contoso.com):

$OUDefaultAcl = (Get-Acl "AD:OU=DefaultOUPermissions,DC=Contoso,DC=Com")

Now, I restore MCA permission to default. Run following command:

Set-Acl "AD:OU=MCA,DC=Contoso,DC=Com" -AclObject $OUDefaultAcl

I check MCA. As you see, all permissions restored and Delegation permissiond deleted.

Owner restored again to Domain Admins group.

Protect object from accidental deletion checked.

Please, if you find article useful, write your own article in TechNet Wiki to help TechNet Wiki community.