Lange's Tech Musings

Thoughts, Problems and Solutions

«
»

Auditing GPO Inheritance with PowerShell

Posted by Daniel Lange on 8 March 2010

Have you ever needed to find all of the OUs with Group Policy inheritance blocked? Sure, you can open up the Group Policy Management MMC and look for OUs with the blue exclamation point, but wouldn’t it be nice to automate this and have the information provided in a CSV? This sounds like the perfect task for PowerShell.

A few caveats: the following script requires the Quest AD cmdlets and either Windows 7 or Windows 2008 R2 Server. In all likelihood, we could accomplish this task without the Quest cmdlets, relying instead solely on the PowerShell modules that ship with Windows 7, but I am most familiar with the Quest cmdlets and default to them whenever possible.

windows 7 (or 2008 R2) is required for the GroupPolicy module. So, the first step is to import that module and, if it isn’t already, add the Quest PSSnapin:

Add-PSSnapin Quest.ActiveRoles.ADManagement
Import-Module Grouppolicy

We will assume the account running PowerShell has all the necessary rights and that the domain being queried is the same as that of the logged on user. If this isn’t true, you may need to specify account and/or domain information as part of the below cmdlets.

First, we need to retrieve all of the OUs in the domain. this is accomplished with Get-QADObject, specifying the type as OrganizationalUnit and setting a size limit of 0 so that all matching results are returned. As discussed in a previous post, we’ll use –DontUseDefaultIncludedProperties to speed up the search.

Get-QADObject -type OrganizationalUnit -SizeLimit 0 -DontUseDefaultIncludedProperties

Next, we want to pipe all of the returned OUs to a ForEach loop to check their GPO Inheritance settings.

%{ Get-GPInheritance -Target $_ -Domain Contoso.com}

After that, we select the relevant information. For this particular example, I want to know the OU path and whether GPO Inheritance is blocked or not.

Select Path,GpoInheritanceBlocked

Finally, we export it to a CSV.

Export-CSV “GPOInheritance.csv” -NoTypeInformation

As a one line command:

Get-QADObject -Type OrganizationalUnit -SizeLimit 0 -DontUseDefaultIncludedProperties | %{ Get-GPInheritance -Target $_ -Domain Contoso.com} | Select Path,GpoInheritanceBlocked | Export-CSV “GPOInheritance.csv” –NoTypeInformation

I have a similar script to check whether a GPO is set to Enforced. I’ll share that in a future post.

Questions, comments and feedback are always welcome.

~Daniel

This entry was posted on 8 March 2010 at 15:25 and is filed under Active Directory, PowerShell. Tagged: , , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Auditing GPO Inheritance with PowerShell”

  1. Valuable Internet Information » Auditing GPO Inheritance with PowerShell « Lange's Tech Musings said

    8 March 2010 at 20:38

    [...] Original post:  Auditing GPO Inheritance with PowerShell « Lange's Tech Musings [...]

    Reply

  2. Auditing GPO Link Enabled and Enforced with PowerShell « Lange's Tech Musings said

    17 March 2010 at 17:35

    [...] WordPress.com « Auditing GPO Inheritance with PowerShell [...]

    Reply

  3. Audit GPO Inheritance with Powershell « Web Active Directory Blog said

    29 March 2010 at 16:03

    [...] http://daniellange.wordpress.com/2010/03/08/auditing-gpo-inheritance-with-powershell/ [...]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«
»
 
Follow

Get every new post delivered to your Inbox.