View/Configure Protected ACL and Fixing Broken Inheritance

ACL inheritance is one of key concept in Active Directory delegation of control. It allows ACEs set on a parent container gets inherited by its child objects. It simplifies access management significantly as it allows the management to be done on the container level rather than on individual leaf objects. However, sometimes we may want to block such inheritance on some special objects. With a protected ACL set on the object, any inheritable ACEs set on its parent will not be able to propagate down to the object and as a result only the ACEs explicitly set on it take effect. The following examples show how to find out a protected ACL and set/unset such an ACL:

 ## Get the object’s DACL

PS AD:\> $acl = get-acl "OU=myou,DC=fabrikam,DC=com”

## Finding out if an ACL is protected is very simple.

PS AD:\> $acl.AreAccessRulesProtected

## When setting ACL to be protected with SetAccessRuleProtection with the first parameter set to $true, we also 

## have two options for the ACEs already inherited, we may choose either to remove them or convert them to 

## explicit ACEs. In the example below, we choose to convert the inherited ACEs by setting the second parameter 

## to $true.  

PS AD:\> $acl.SetAccessRuleProtection($true, $true);

## Make sure set the ACL on the object after the change has been made to the ACL.

PS AD:\> set-acl -aclobject $acl "OU=myou,DC=fabrikam,DC=com”

## Once the ACL is protected the inheritance chain is broken

## To unprotect the ACL (i.e. to fix the broken inheritance), set the first parameter to $false. The second parameter is ignored in the case.

PS AD:\> $acl.SetAccessRuleProtection($false, $false);

## Always make sure set the ACL on the object after any change has been made to the ACL

PS AD:\> set-acl -aclobject $acl "OU=myou,DC=fabrikam,DC=com”

Thanks,

David

Comments

  • Anonymous
    August 08, 2012
    The comment has been removed
  • Anonymous
    August 12, 2013
    Should be:$acl.SetAccessRuleProtection($false, $true);