You can use dsacls with /T switch to restore the ACL back to default.
C:\dsacls /?
Displays or modifies permissions (ACLS) of an Active Directory (AD)
Object
DSACLS object [/I:TSP] [/N] [/P:YN] [/G <group/user>:<perms> [...]]
[/R <group/user> [...]] [/D <group/user>:<perms> [...]]
[/S] [/T] [/A]
/T Restore the security on the tree of objects to the
default for the object class.
This switch is valid only with the /S option.
default for the object class.
This switch is valid only with the /S option.
On 10/26/06, Steve Evans <[EMAIL PROTECTED]> wrote:
Because of something called FERPA (Federal Student Privacy Act) I had
written a script that goes through our Students OU and removes the ACE for
Authenticated Users. This prevented the students private information from
being viewable by non-admin staff.
Now I have been given a better view for our identity system to use that
includes a FERPA flag. So instead of treating all 20,000 students as FERPA
(and having to remove the AuthUser ACE) I only need to treat those that have
asked for FERPA protection (about 3% of the student body).
So I need to go back through all the student accounts and restore the Auth
User ACE and only remove it from the FERPA students (which I've separated
into a sub-ou of students).
I tried to do this with .Net but had some difficulties. Anyone have a good
quick way to do this?
Steve Evans
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/