I have an OU in AD, which has delegated permissions
assigned to it.
Is there any way/tool to export delegated permissions (or just all security permissions) for an OU and then apply the very same permissions to another OU in the AD structure?
Export seems to be easier, – DSACLS.exe
can do this.
But, how do I import/apply/restore exported permissions to another OU in AD?
Best Answer
The solution seems to be found and it actually worked on a test Windows Server 2012 R2 DC.
The main idea is to use LDIFDE tool to export security descriptor of the source OU, modify it and then re-apply it to another one.
E.g.
export OU ntSecurityDescriptor:
You will get something like this:
Modify it, by changing destination OU and changetype method and adding dash at the end of the file:
Once this is done, import the modified ntSecurityDescriptor:
P.S. this is based on info here.