Powershell – Auditing Group Policy Inheritance

Here is a short script that will list all OUs where the Block GP Inheritance is switched on:

Add-PSSnapin Quest.ActiveRoles.ADManagement
 Import-Module Grouppolicy
 $domain = Read-Host "Specify domain i.e.: contoso.com"
 $data = Get-QADObject -type OrganizationalUnit -SizeLimit 0 -DontUseDefaultIncludedProperties | foreach-object { Get-GPInheritance -Target $_ -Domain $domain}
 $data | where {$_.GpoInheritanceBlocked -eq "Yes"} | select Path

The only prerequisite is to have the Quest PS Snapin installed – see here.

The result will look something like that:

ou=locked down,ou=human resources,ou=departments,ou=Boston,dc=US,dc=contoso,dc=com

Leave a Reply

Your email address will not be published. Required fields are marked *

12 + 19 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.