As mentioned before I’m not a programmer, so the information in the next few posts may not be 100%. What I will pass on is what I have found in my experience, and any external links to valid sources that may help provide more detail. With this in mind if you find any inaccuracies, or just have more information to add please feel free to let me know …. :)
There are three types of permissions in regards to Active Directory security: Standard Rights, Extended Rights, and Control Access Rights. We’ve covered Standard Rights in a recent post, and in building up to the remaining two we’ll take a look at Inheritance and Propagation.
In AD we use a different method, but the concept is the same. There is only one flag used, and this is ActiveDirectorySecurityInheritance.
For example in NTFS you may have used:
$inherit = [system.security.accesscontrol.InheritanceFlags]“ContainerInherit”
$propagation = [system.security.accesscontrol.PropagationFlags]“InheritOnly”
In Active Directory the same result would be achieved by:
$inherit = [System.DirectoryServices.ActiveDirectorySecurityInheritance]“descendents”
An article that explains this subject well can be found on MSDN here. In particular the paragraph on inheritance and figure 5.
If we want to stop permissions being inherited from the parent Organizational Unit or container, you can use the SetAccessRuleprotection method. The syntax for which is available here
And a simple example:
$root = [adsi]“”
$test = [adsi](“LDAP://ou=Test ou,”+$root.distinguishedName)
# [bool]IsProtected, [bool]PreserveInheritance
# The second option decides whether the inherited ACE’s are copied, or dropped.
In the next post we’ll build a couple of useful functions for retrieving data needed for Extended and Access Control Rights.