Resetting Inheritiance on an Ex Admin account – or why can’t I manage this user?

I recently blogged how to use an ARS to reset inheritance on an admin user. I just realised it might be worth posting the powershell commands to do it too rather than the specific ARS solution. After removing the user from the protected AD group ( otherwise your wasting your time ) run the following commands:

To reset the admincount ( this is the flag that AD sets so it knows it needs to protect the account )
$userDN = “CN=admin-user,OU=Admin Accounts,DC=AD,DC=COM”
Set-QADUser -Identity $userDN -ObjectAttributes @{admincount=0}

Then to reset inheritance if required use this line:
Set-QADObjectSecurity -Identity $userDN -UnlockInheritance

You could check if inheritance is disabled like this:
$user = Get-QADUser -Identity $userDN
if ( $user.Security.PermissionInheritanceLocked ) {
Set-QADObjectSecurity -Identity $userDN -UnlockInheritance


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.