Here is a short script that will list all OUs where the Block GP Inheritance is switched on:
Add-PSSnapin Quest.ActiveRoles.ADManagement Import-Module Grouppolicy $domain = Read-Host "Specify domain i.e.: contoso.com" $data = Get-QADObject -type OrganizationalUnit -SizeLimit 0 -DontUseDefaultIncludedProperties | foreach-object { Get-GPInheritance -Target $_ -Domain $domain} $data | where {$_.GpoInheritanceBlocked -eq "Yes"} | select Path
The only prerequisite is to have the Quest PS Snapin installed – see here.
The result will look something like that:
Path ---- ou=servers,ou=Boston,dc=US,dc=contoso,dc=com ou=servers,ou=Portland,dc=US,dc=contoso,dc=com ou=locked down,ou=human resources,ou=departments,ou=Boston,dc=US,dc=contoso,dc=com