ACL : Inheritance issues on user account objects

If you are using an Active Directory domain or ADDS domain, when you create users they are classed as an object, however, certain scenarios can arise where you’re unable to write to these objects due to a limited ACL permissions group.

User Objects

If you look at a User object and you click on the security tab, you will notice there will be a list of groups users, and system objects listed at the top and then the access control attributes at the bottom.

When you find the security tab, Click on the advanced option at the bottom Right when this panel load you will notice in the bottom left of that panel. There will be a button that should say “Disable inheritance”


If you are reading this particular post game, that button will say “enable inheritance” - if it does, that means any custom permissions, you have assigned will not be applied to this particular user object, as you can see below:

Note : This usually means in a standard configuration if you’re not a domain administrator or an enterprise administrator, you will be unable to edit that object because all the options will be greyed out, particularly options around the account tab and if you try to reset the password, you will receive an access denied error.



Obviously, the solution to this is not to make everyone a domain admin, but to fix this particular problem you will need to reenable the inheritance option for those users, this particular scenario usually arises because the attribute “AdminCount” will be flagged as “1”

I you wish to check this open up the user account in ADDS and choose the "attributes" tab as below, you will see the adminCount a couple of attributes down:



If you do not see the attributes tab it’s because you’ve searched for an object and you need to browse to the logical location of the object, if you would rather search for the object, you will need to use ADAC, from here find the user in the global search, open up that account and choose extensions, then the attribute editor:


Why the AdminCount?

The adminCount attribute is found on user objects in Active Directory. This is a very simple attribute. If the value is <not set> or 0 then the user is not protected by the SD Propagation. If the value of adminCount is set to 1 that means the user has, or has been a member of a protected group.


The SD Propagator is a process that runs on a schedule on the PDC emulator to find members of protected groups and ensure the appropriate Access Control List (ACL) is present. The SD Propagator runs every hour by default

Easy powershell reset?

If you wish to set this value back to <not set> You can quite easily run this command:

Set-ADUser <user identity> -Clear AdminCount

No, not at all - options drama 

Unfortunately, not at all, Nothing is that simple because when you perform this operation using zero scripts, you have to choose an option as per the dialogue box below:


If you have lots of users that need this setting, you would have to find a way to sequentially select the right option for this dialogue - this dialogue will be present for every user that does not have inheritance enabled.

The Query - for affected users

This will confirm which users are affected in the search scope of your query, this will return the UPN:

$users = Get-ADUser -SearchBase "<base_ou_dn>" -Filter {AdminCount -eq 1}

The Fix 

If you come across this particular problem, and you wish to reset this back to what it was, which should be <not set> You can use the following script below courtesy of Microsoft and Google:

Note : All you need to do is update the base_ou_dn with the root of where your users are in your domain 

Import-Module ActiveDirectory

Function Set-Inheritance {
param($ObjectPath)
$ACL = Get-ACL -path "AD:\$ObjectPath"
If ($acl.AreAccessRulesProtected){
$ACL.SetAccessRuleProtection($False, $True)
Set-ACL -AclObject $ACL -path "AD:\$ObjectPath"
Write-Host "MODIFIED "$ObjectPath
} #End IF
} #End Function Set-Inheritance

#Find user with AdminCount set to 1
$users = get-aduser -SearchBase "<base_ou_dn>" -Filter {AdminCount -eq 1}
#Enable inheritance flag for each user
$users | foreach {Set-Inheritance $_.distinguishedname}


Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„