Inventory OUs with ACL (Disable Inheritance)

jeff-taylor · December 3, 2020, 12:21pm

I’m trying to get a script working for giving me info about Inheritance Disabled at the ACL level (not whether GPOs are being blocked)

I’ve been playing with two one-liners and feel I’m getting close but now the data is either incomplete or unintended.

This works but is only giving GPO related info

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=company,DC=com"-SearchScope OneLevel -Filter * | ft DistinguishedName,@{Name="Inheritance";Expression={(Get-GPInheritance$_.DistinguishedName).GpoInheritanceBlocked}} -Autosize

I see this (but again, it’s about GPOs)

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=company,DC=com"-SearchScope OneLevel -Filter * | ft DistinguishedName,@{Name="Inheritance";Expression={(Get-GPInheritance$_.DistinguishedName).GpoInheritanceBlocked}} -Autosize

LinkedGroupPolicyObjects Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection LinkedGroupPolicyObjects {get;}

am I barking up the wrong cmdlet?

rob-simmers · December 3, 2020, 3:33pm

Does this work?

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=company,DC=com" -SearchScope OneLevel -Filter * | 
Select-Object Name, 
              DistinguishedName,
              @{Name="GpoInheritanceBlocked";Expression={(Get-GPInheritance -Target $_.DistinguishedName) | Select-Object -ExpandProperty GpoInheritanceBlocked}}

jeff-taylor · December 4, 2020, 10:32am

Hi Rob, yes your code accurately captures Blocks at the GPO level…(thank you)

…but I’d like to know if PowerShell can capture Inheritance on ACLs set on an OU.

(Not sure how to uploaded a jpg)
DSA.msc > right click on an OU > Properties > security > Advanced > I want to see wherever it says “Enable Inheritance”

…Also, your code made me realize one thing as well. If I go deeper in the subtrees, I’ll see a lot of Get-GPInheritance -eq “False”. If I want to winnow that to only “True” this is what I’ve tried:

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=company,DC=com" -SearchScope OneLevel -Filter * | 
Select-Object Name, DistinguishedName,@{Name="GpoInheritanceBlocked";Expression={(Get-GPInheritance -Target $_.DistinguishedName)  | Select-Object -ExpandProperty GpoInheritanceBlocked | Where-Object -Value -eq "True" }}

…I get no errors but I get no results either (and know they are there).

hudzon · December 5, 2020, 6:12pm

try

Where-Object {$_.value -eq “True”}

rob-simmers · December 7, 2020, 6:03am

Never done this before, but would assume if you want ACL Permissions you most likely need to use Get-ACL:

jeff-taylor · December 10, 2020, 12:27pm

I tested for “False” (as I know they exist) but no results were returned

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=corp,DC=com" -SearchScope OneLevel -Filter * | 
Select-Object Name, DistinguishedName,@{Name="GpoInheritanceBlocked";Expression={(Get-GPInheritance -Target $_.DistinguishedName)  | Select-Object -ExpandProperty GpoInheritanceBlocked }}  | Where-Object {$_.value -eq “False”}

Topic		Replies	Views
Get User ACL inheritance settings (SDHolder) PowerShell Help	3	336	December 22, 2020
Filtering AD ACL Object to be excluded from the Get-ACL result? PowerShell Help	5	170	September 15, 2020
Add AD Group to Shares That Have Inheritance Disabled PowerShell Help	2	488	March 3, 2023
AD GP Script PowerShell Help	11	148	August 13, 2013
issues in script to bring OU information PowerShell Help	1	155	November 18, 2019

Inventory OUs with ACL (Disable Inheritance)

Related Topics