Share via

PowerShell Trick: Use AD PSProvider to enable inheritance

  • Article

When we import the ActiveDirectory PowerShell Module then a PSDrive gets mapped too. This AD PS Provider is largely untapped and can be used for some very cool automation scenarios.

A recent requirement involved enabling inheritance on several AD User accounts so that they could connect their Mobile devices to Exchange.

Below is the code showing how to do this using the AD PSProvider:

First, change to the location containing your User or use the absolute DN for the user to get the ACL object:

PS AD:\OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com> ls

Name                 ObjectClass          DistinguishedName

----                 -----------          -----------------

Abdul.Yanwube        user                 CN=Abdul.Yanwube,OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com

test 123             user                 CN=test 123,OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com

xyz abc              user                 CN=xyz abc,OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com

PS AD:\OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com> $ACL = Get-Acl -Path '.\CN=test 123'

Once you have ACL Object you can manipulate the local copy of the object using the SetAccessRuleProtection method present on the Object:

PS AD:\OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com> $ACL.SetAccessRuleProtection

MemberType          : Method

OverloadDefinitions : {System.Void SetAccessRuleProtection(bool isProtected, bool preserveInheritance)}

TypeNameOfValue     : System.Management.Automation.PSMethod

Value               : System.Void SetAccessRuleProtection(bool isProtected, bool preserveInheritance)

Name                : SetAccessRuleProtection

IsInstance          : True

PS AD:\OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com> $ACL.SetAccessRuleProtection($False,$true)

Now time to set the ACL back on the Object, we tap into the AD PSProvider for this again:

PS AD:\OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com> Set-Acl -AclObject $ACL -Path '.\CN=test 123' -ver

VERBOSE: Performing operation "Set-Acl" on Target "AD:\CN=test 123,OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com".

VERBOSE: Performing operation "Set" on Target "CN=test 123,OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com".

PS AD:\OU=AirWatchTest,OU=ExchangeUsers,DC=dex,DC=com>

Voila you are done!

This will check the enable inheritance checkbox for the User, this is really helpful in case of Exchange migration where this checkbox gets disabled and hence Users are not able to sync their Mobile devices. For more reading on this refer to this blog post here: