Finding AD Users that break inheritance

In Active Directory, certain users permissions can break inheritance. Their security settings can be changed so that they do not follow the OU (organizational unit) that they are a part of.  In cases like these permissions issues can become confusing and difficult to track down.

 In order to find them across all of your Active Directory, you can run a simple PowerShell command can be run:


Get-ADUser -Filter 'enabled -eq $true' -Properties ntSecurityDescriptor |  Where-Object { $_.ntSecurityDescriptor.AreAccessRulesProtected }

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s