The fixupInheritance attribute permits administrative tools to request that the DC recompute inherited security permissions on objects to ensure that they conform to the security descriptor requirements (see section 6.1.3), in case the current state of the permissions on the object is erroneous. This operation is not necessary on a correctly functioning DC. The requester must have the "Recalculate-Security-Inheritance" control access right on the nTDSDSA object for the DC. The LDAP Operation returning success means the system accepts the request to perform security-descriptor propagation.
This operation is triggered by setting the fixupInheritance attribute to "1".
The following shows an LDIF sample that performs this operation.
dn: changetype: modify add: fixupInheritance fixupInheritance: 1 -
In Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system, setting the fixupInheritance attribute to the special values "forceupdate" and "downgrade" has effects outside the state model.
In Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, the fixupInheritance attribute can trigger security-descriptor propagation under an object, specified using an identifier outside the state model, rather than throughout the directory. This is performed by setting the fixupInheritance attribute to the string "dnt:" followed by an implementation-specific identifier representing the object. Consider the following example.
dn: changetype: modify add: fixupInheritance fixupInheritance: dnt:54758 -