'enableperminheritance.vbs
'Set strOUpath variable to match the
'target OU in your domain
strOUpath = "ou=test,dc=bg,dc=net"

Const SE_DACL_PROTECTED = 0 'enables inheritance

'Connect to OU in Active Directory
set objConn = createObject("ADODB.Connection")
set objCommand = createObject("ADODB.Command")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConn
strUsrFil = "(&(objectCategory=person)(objectClass=user))"
objCommand.CommandText = ">" & ";" & strUsrFil & ";" & "sAMAccountName;subtree"
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objUserRecords = objCommand.Execute

intUserCount = 0 'user object counter

' Enable Permissions inheritance for each user
Do Until objUserRecords.EOF
intUserCount = intUserCount + 1
strUser = objUserRecords.Fields("sAMAccountName").Value
set objUser = GetObject ("LDAP://cn=" & strUser & "," & strOuPath)
Set objNTSec = objUser.Get("nTSecurityDescriptor")
intNTSecDes = objNTSec.Control
intNTSecDes = intNTSecDes And SE_DACL_PROTECTED
objNTSec.Control = intNTSecDes
objUser.Put "nTSecurityDescriptor", objNTSec
objUser.SetInfo
objUserRecords.MoveNext
Loop

' Output the number of records changed
' Note that the permissions inheritance flag is
' set on all users in the OU, regardless of whether
' or not it was already set.
wscript.echo("Enabled Permissions Inheritance for " &_
intUserCount & " users in the OU " & strOUpath)