Auditing GPO Inheritance with PowerShell

Have you ever needed to find all of the OUs with Group Policy inheritance blocked? Sure, you can open up the Group Policy Management MMC and look for OUs with the blue exclamation point, but wouldn’t it be nice to automate this and have the information provided in a CSV? This sounds like the perfect task for PowerShell.

A few caveats: the following script requires the Quest AD cmdlets and either Windows 7 or Windows 2008 R2 Server. In all likelihood, we could accomplish this task without the Quest cmdlets, relying instead solely on the PowerShell modules that ship with Windows 7, but I am most familiar with the Quest cmdlets and default to them whenever possible.

windows 7 (or 2008 R2) is required for the GroupPolicy module. So, the first step is to import that module and, if it isn’t already, add the Quest PSSnapin:

Add-PSSnapin Quest.ActiveRoles.ADManagement
Import-Module Grouppolicy

We will assume the account running PowerShell has all the necessary rights and that the domain being queried is the same as that of the logged on user. If this isn’t true, you may need to specify account and/or domain information as part of the below cmdlets.

First, we need to retrieve all of the OUs in the domain. this is accomplished with Get-QADObject, specifying the type as OrganizationalUnit and setting a size limit of 0 so that all matching results are returned. As discussed in a previous post, we’ll use –DontUseDefaultIncludedProperties to speed up the search.

Get-QADObject -type OrganizationalUnit -SizeLimit 0 -DontUseDefaultIncludedProperties

Next, we want to pipe all of the returned OUs to a ForEach loop to check their GPO Inheritance settings.

%{ Get-GPInheritance -Target $_ -Domain}

After that, we select the relevant information. For this particular example, I want to know the OU path and whether GPO Inheritance is blocked or not.

Select Path,GpoInheritanceBlocked

Finally, we export it to a CSV.

Export-CSV “GPOInheritance.csv” -NoTypeInformation

As a one line command:

Get-QADObject -Type OrganizationalUnit -SizeLimit 0 -DontUseDefaultIncludedProperties | %{ Get-GPInheritance -Target $_ -Domain} | Select Path,GpoInheritanceBlocked | Export-CSV “GPOInheritance.csv” –NoTypeInformation

I have a similar script to check whether a GPO is set to Enforced. I’ll share that in a future post.

Questions, comments and feedback are always welcome.



3 thoughts on “Auditing GPO Inheritance with PowerShell

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s