If you are using an Active Directory domain or ADDS domain, when you create users they are classed as an object, however, certain scenarios can arise where you’re unable to write to these objects due to a limited ACL permissions group.
User Objects
If you look at a User object and you click on the security tab, you will notice there will be a list of groups users, and system objects listed at the top and then the access control attributes at the bottom.
When you find the security tab, Click on the advanced option at the bottom Right when this panel load you will notice in the bottom left of that panel. There will be a button that should say “Disable inheritance”
If you are reading this particular post game, that button will say “enable inheritance” - if it does, that means any custom permissions, you have assigned will not be applied to this particular user object, as you can see below:
Note : This usually means in a standard configuration if you’re not a domain administrator or an enterprise administrator, you will be unable to edit that object because all the options will be greyed out, particularly options around the account tab and if you try to reset the password, you will receive an access denied error.
Obviously, the solution to this is not to make everyone a domain admin, but to fix this particular problem you will need to reenable the inheritance option for those users, this particular scenario usually arises because the attribute “AdminCount” will be flagged as “1”
I you wish to check this open up the user account in ADDS and choose the "attributes" tab as below, you will see the adminCount a couple of attributes down:
Why the AdminCount?
The adminCount attribute is found on user objects in Active Directory. This is a very simple attribute. If the value is <not set> or 0 then the user is not protected by the SD Propagation. If the value of adminCount is set to 1 that means the user has, or has been a member of a protected group.
The SD Propagator is a process that runs on a schedule on the PDC emulator to find members of protected groups and ensure the appropriate Access Control List (ACL) is present. The SD Propagator runs every hour by default
Easy powershell reset?
If you wish to set this value back to <not set> You can quite easily run this command:
Set-ADUser <user identity> -Clear AdminCount
No, not at all - options drama
Unfortunately, not at all, Nothing is that simple because when you perform this operation using zero scripts, you have to choose an option as per the dialogue box below:
$users = Get-ADUser -SearchBase "<base_ou_dn>" -Filter {AdminCount -eq 1}
Function Set-Inheritance {
param($ObjectPath)
$ACL = Get-ACL -path "AD:\$ObjectPath"
If ($acl.AreAccessRulesProtected){
$ACL.SetAccessRuleProtection($False, $True)
Set-ACL -AclObject $ACL -path "AD:\$ObjectPath"
Write-Host "MODIFIED "$ObjectPath
} #End IF
} #End Function Set-Inheritance
#Find user with AdminCount set to 1
$users = get-aduser -SearchBase "<base_ou_dn>" -Filter {AdminCount -eq 1}
#Enable inheritance flag for each user
$users | foreach {Set-Inheritance $_.distinguishedname}