Inventory OUs with ACL (Disable Inheritance)

I’m trying to get a script working for giving me info about Inheritance Disabled at the ACL level (not whether GPOs are being blocked)

I’ve been playing with two one-liners and feel I’m getting close but now the data is either incomplete or unintended.

This works but is only giving GPO related info

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=company,DC=com"-SearchScope OneLevel -Filter * | ft DistinguishedName,@{Name="Inheritance";Expression={(Get-GPInheritance$_.DistinguishedName).GpoInheritanceBlocked}} -Autosize

I see this (but again, it’s about GPOs)

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=company,DC=com"-SearchScope OneLevel -Filter * | ft DistinguishedName,@{Name="Inheritance";Expression={(Get-GPInheritance$_.DistinguishedName).GpoInheritanceBlocked}} -Autosize

LinkedGroupPolicyObjects Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection LinkedGroupPolicyObjects {get;}

am I barking up the wrong cmdlet?

Does this work?

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=company,DC=com" -SearchScope OneLevel -Filter * | 
Select-Object Name, 
              DistinguishedName,
              @{Name="GpoInheritanceBlocked";Expression={(Get-GPInheritance -Target $_.DistinguishedName) | Select-Object -ExpandProperty GpoInheritanceBlocked}}

Hi Rob, yes your code accurately captures Blocks at the GPO level…(thank you)

…but I’d like to know if PowerShell can capture Inheritance on ACLs set on an OU.

(Not sure how to uploaded a jpg)
DSA.msc > right click on an OU > Properties > security > Advanced > I want to see wherever it says “Enable Inheritance”

…Also, your code made me realize one thing as well. If I go deeper in the subtrees, I’ll see a lot of Get-GPInheritance -eq “False”. If I want to winnow that to only “True” this is what I’ve tried:

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=company,DC=com" -SearchScope OneLevel -Filter * | 
Select-Object Name, DistinguishedName,@{Name="GpoInheritanceBlocked";Expression={(Get-GPInheritance -Target $_.DistinguishedName)  | Select-Object -ExpandProperty GpoInheritanceBlocked | Where-Object -Value -eq "True" }}

…I get no errors but I get no results either (and know they are there).

try

Where-Object {$_.value -eq “True”}

Never done this before, but would assume if you want ACL Permissions you most likely need to use Get-ACL:

https://devblogs.microsoft.com/scripting/use-powershell-to-explore-active-directory-security/

I tested for “False” (as I know they exist) but no results were returned

Get-ADOrganizationalUnit -SearchBase "OU=PARENT,DC=corp,DC=com" -SearchScope OneLevel -Filter * | 
Select-Object Name, DistinguishedName,@{Name="GpoInheritanceBlocked";Expression={(Get-GPInheritance -Target $_.DistinguishedName)  | Select-Object -ExpandProperty GpoInheritanceBlocked }}  | Where-Object {$_.value -eq “False”}