Looking for a quick script to see if your Active Directory users have that box “Include Inheritable Permissions from this object’s parent” checked? If so here is a .vbs script that you can copy and paste to use. Just change the domain information at the top. 

StartSearchingFrom = "OU=Company Users,dc=domain,dc=local"

Also if you want to send the results to a text file instead of popping up on your screen then use the “>” sign. Remember to run it from command prompt.

Example:

cscript script.vbs > results.txt

Here is the script:

Const SE_DACL_PROTECTED = &H1000

' dn of OU
StartSearchingFrom = "OU=Company Users,dc=domain,dc=local"
 
Set rootDSE = GetObject("LDAP://RootDSE")
Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADSDSOObject"
conn.Open "ADs Provider"

ldapStr = "<LDAP://" & StartSearchingFrom & ">;(&(objectCategory=person)(objectClass=user));adspath;subtree"

Set rs = conn.Execute(ldapStr)

on error resume next
While Not rs.EOF

   Set objUser = GetObject (rs.Fields(0).Value)

   Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
   intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control


   strMessage = "Allow inheritable permissions from the parent to " & _
     "propogate to this object and all child objects "

   If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
     WScript.Echo objUser.cn, "Permissions Tab" & vbNewline _
     & strMessage & "is disabled." & vbNewline

   End If
 
   rs.MoveNext
Wend
Advertisements