$ErrorActionPreference = "Stop"

 

# Put usernames one-per-line in a text (CSV) file with header first-line: Username

# Set this to the path of your input csv file.

$CSVFilePath = "c:\temp\TroubleUsers.csv"

 

# This script will Clear the adminCount property and Enable Inheritance on the object Access Control List (ACL) in AD

$users = import-csv $CSVFilePath | sort Username

$groups = @()

foreach ($user in $users) {

    $aduser = get-aduser $user.Username -properties ntSecurityDescriptor,adminCount

    $aduser | select Name,SamAccountName,adminCount,

      @{Name="AreAccessRulesProtected";Expression={$_.ntSecurityDescriptor.AreAccessRulesProtected}}

 

    if ($aduser.ntSecurityDescriptor.AreAccessRulesProtected -or ($aduser.adminCount -ne $null -and $aduser.adminCount -gt 0)) {

                                  get-aduser $user.Username -properties ntSecurityDescriptor,adminCount

 

        # update security descriptor prior to Set command (ENABLE INHERITANCE)

        # SetAccessRuleProtection(bool isProtected, bool preserveInheritance)

        $aduser.ntSecurityDescriptor.SetAccessRuleProtection($false, $true)

        Set-ADUser -Identity $aduser -Replace @{ntSecurityDescriptor = $aduser.ntSecurityDescriptor} -Clear "adminCount" -verbose

    }

}