{"id":68663,"date":"2005-10-26T13:01:00","date_gmt":"2005-10-26T13:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/10\/26\/how-can-i-determine-if-an-ou-is-blocking-group-policy-inheritance\/"},"modified":"2005-10-26T13:01:00","modified_gmt":"2005-10-26T13:01:00","slug":"how-can-i-determine-if-an-ou-is-blocking-group-policy-inheritance","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-determine-if-an-ou-is-blocking-group-policy-inheritance\/","title":{"rendered":"How Can I Determine if an OU is Blocking Group Policy Inheritance?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I determine if an OU has the Group Policy property Block Policy Inheritance<\/B> box checked?

— PP<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, PP. You know, sometimes you wait all your life for a situation to arise, and then it never arises. For example, one of the Scripting Guys happens to know all nine verses to the song My Darlin\u2019 Clementine<\/I>. All his life he\u2019s waited for someone to say, \u201cAll nine verses to My Darlin\u2019 Clementine<\/I>? I got a million dollars that says no one<\/I> knows all nine verses to My Darlin\u2019 Clementine<\/I>.\u201d For some strange reason, that\u2019s never happened.<\/P>\n

For the longest time it seemed like the same thing would happen with Group Policy inheritance. This same Scripting Guy – who seems to specialize in knowledge that few people care about – also happens to know how to tell whether or not Group Policy inheritance is enabled on an Active Directory OU. All his life he\u2019s waited for someone to say, \u201cKnow how to tell whether Group Policy inheritance is enabled on an OU? I got a million dollars that says no one<\/I> knows how to tell whether or not Group Policy inheritance is blocked on an OU.\u201d And now, at last, the moment has come.<\/P>\n

Of course, you didn\u2019t offer a million dollars for the answer. But what the heck:<\/P>

Set objOU = GetObject(“LDAP:\/\/ou=Finance,dc=fabrikam,dc=com”)<\/p>\n
If objOU.gpOptions = 1 Then\n    Wscript.Echo “Block policy inheritance is enabled.”\nElse\n    Wscript.Echo “Block policy inheritance is not enabled.”\nEnd If\n<\/PRE>\n
Believe it or not, that\u2019s the entire script: this isn\u2019t a hard<\/I> thing to do, it\u2019s just that very few people know how to do it. <\/P>\n
The script begins by binding to the OU in Active Directory. In our sample script, that means binding to the Finance OU in fabrikam.com:<\/P>
Set objOU = GetObject(“LDAP:\/\/ou=Finance,dc=fabrikam,dc=com”)\n<\/PRE>\n
After making the connection all we need to do is check the value of the gpOptions<\/B> attribute. If gpOptions is equal to 1 that means that Group Policy inheritance has been blocked on the OU. If gpOptions is equal to anything else (the other two possible values are 0 and Null) then Group Policy inheritance has not<\/I> been blocked. We simply set up an If Then statement to examine the value of gpOptions and then echo the appropriate message. And that\u2019s it.<\/P>\n
Now, who wants to make an offer on all nine verses of My Darlin\u2019 Clementine<\/I>? That\u2019s OK; take your time and think it over. We\u2019ve waited this long, we can wait some more.<\/P>\n
Time\u2019s up: now<\/I> who wants to make an offer on all nine verses of My Darlin\u2019 Clementine<\/I>?<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I determine if an OU has the Group Policy property Block Policy Inheritance box checked?— PP Hey, PP. You know, sometimes you wait all your life for a situation to arise, and then it never arises. For example, one of the Scripting Guys happens to know all nine verses to […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,43,3,5],"class_list":["post-68663","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-ous","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I determine if an OU has the Group Policy property Block Policy Inheritance box checked?— PP Hey, PP. You know, sometimes you wait all your life for a situation to arise, and then it never arises. For example, one of the Scripting Guys happens to know all nine verses to […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=68663"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68663\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=68663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=68663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=68663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}