How Can I Determine if an OU is Blocking Group Policy Inheritance?

How Can I Determine if an OU is Blocking Group Policy Inheritance?

  • Comments 1
  • Likes
Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I determine if an OU has the Group Policy property Block Policy Inheritance box checked?

-- PP

SpacerHey, Scripting Guy! AnswerScript Center

Hey, PP. You know, sometimes you wait all your life for a situation to arise, and then it never arises. For example, one of the Scripting Guys happens to know all nine verses to the song My Darlin’ Clementine. All his life he’s waited for someone to say, “All nine verses to My Darlin’ Clementine? I got a million dollars that says no one knows all nine verses to My Darlin’ Clementine.” For some strange reason, that’s never happened.

For the longest time it seemed like the same thing would happen with Group Policy inheritance. This same Scripting Guy - who seems to specialize in knowledge that few people care about - also happens to know how to tell whether or not Group Policy inheritance is enabled on an Active Directory OU. All his life he’s waited for someone to say, “Know how to tell whether Group Policy inheritance is enabled on an OU? I got a million dollars that says no one knows how to tell whether or not Group Policy inheritance is blocked on an OU.” And now, at last, the moment has come.

Of course, you didn’t offer a million dollars for the answer. But what the heck:

Set objOU = GetObject("LDAP://ou=Finance,dc=fabrikam,dc=com")

If objOU.gpOptions = 1 Then
    Wscript.Echo "Block policy inheritance is enabled."
Else
    Wscript.Echo "Block policy inheritance is not enabled."
End If

Believe it or not, that’s the entire script: this isn’t a hard thing to do, it’s just that very few people know how to do it.

The script begins by binding to the OU in Active Directory. In our sample script, that means binding to the Finance OU in fabrikam.com:

Set objOU = GetObject("LDAP://ou=Finance,dc=fabrikam,dc=com")

After making the connection all we need to do is check the value of the gpOptions attribute. If gpOptions is equal to 1 that means that Group Policy inheritance has been blocked on the OU. If gpOptions is equal to anything else (the other two possible values are 0 and Null) then Group Policy inheritance has not been blocked. We simply set up an If Then statement to examine the value of gpOptions and then echo the appropriate message. And that’s it.

Now, who wants to make an offer on all nine verses of My Darlin’ Clementine? That’s OK; take your time and think it over. We’ve waited this long, we can wait some more.

Time’s up: now who wants to make an offer on all nine verses of My Darlin’ Clementine?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment