Get-GPInheritance

The Get-GPInheritance cmdlet gets information about Group Policy inheritance for a specified ___domain or organizational unit (OU).

This information includes the following:

• A list of GPOs that are linked directly to the ___location (the GpoLinks property).
• A list of GPOs that are applied to the ___location when Group Policy is processed on a client (the InheritedGpoLinks property).
• Whether inheritance is blocked for the ___location (the GpoInheritanceBlocked property).

The InheritedGpoLinks property contains a list of the GPOs are applied to the OU or ___domain when Group Policy is processed on a client. The GPOs are listed according to the order of precedence with which they are applied. This list includes (in the following order):

• Inherited GPOs that are linked, enabled, and enforced at higher levels of the Group Policy hierarchy (for example, a site).
• GPOs that are linked and enabled directly at the specified ___location.
• If inheritance is not blocked for the specified ___location, inherited GPOs that are linked and enabled -- but not enforced -- at higher levels of the Group Policy hierarchy.

Get-GPInheritance -Target 'ou=MyOU,dc=contoso,dc=com'

ContainerName         : myou
ContainerType         : OU
Path                  : ou=myou,dc=contoso,dc=com
GpoInheritanceBlocked : No
GpoLinks              : {TestGPO-0, TestGPO-1, TestGPO-2, TestGPO-3...}
InheritedGpoLinks     : {TestGPO-2, TestGPO-3, Default Domain Policy}

This command gets Group Policy inheritance information for the OU named MyOU in the contoso.com ___domain.

The GpoLinks property contains a list of all the GPOs that are linked directly to the GPO, whether their links are enabled or not.

The InheritedGpoLinks property contains a list of all the GPOs that are applied when Group Policy is processed on the client. TestGPO-2 and TestGPO-3 appear in this list because their links are enabled.

The Default Domain Policy GPO is inherited from the contoso.com ___domain. If inheritance is blocked, it does not appear in the InheritedGpoLinks property unless its link is enforced at the ___domain. If its link is enforced, it appears first in the list.

Get-GPInheritance -Target "dc=contoso,dc=com" -Domain "contoso.com" -Server "DomainController1"

Name                  : contoso.com
ContainerType         : Domain
Path                  : dc=contoso,dc=com
GpoInheritanceBlocked : No
GpoLinks              : {Default Domain Policy}
InheritedGpoLinks     : {Default Domain Policy}

This command gets Group Policy inheritance information for the contoso.com ___domain. The ___domain controller with the host name DomainController1 is contacted to complete the operation.

The ___domain does not have to be explicitly specified using the Domain parameter in this example. If the ___domain of the user that is running the session (or, for startup and shutdown scripts, the computer) is the same as the target ___domain, or a trust exists between it and the target ___domain, you do not have to specify the Domain parameter.

(Get-GPInheritance -Target "ou=myou,dc=contoso,dc=com").GpoLinks |
    Foreach-Object { Get-GPO -Name ($_.DisplayName) }

DisplayName      : TestGPO-3
DomainName       : contoso.com
Owner            : CONTOSO\Domain Admins
Id               : d02126d4-82e8-4e87-b4a0-2d44b6891411
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 2/27/2009 2:59:51 PM
ModificationTime : 2/27/2009 4:00:44 PM
UserVersion      : AD Version: 13, SysVol Version: 13
ComputerVersion  : AD Version: 0, SysVol Version: 0
WmiFilter        :

DisplayName      : TestGPO-2
DomainName       : contoso.com
Owner            : CONTOSO\Domain Admins
Id               : 375865b2-3b5f-480f-8f56-2a994ea6e725
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 2/26/2009 11:28:08 PM
ModificationTime : 3/1/2009 11:07:30 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 1, SysVol Version: 1
WmiFilter        :

This command evaluates the SOM object Microsoft.GroupPolicy.SOM returned by Get-GPInheritance and returns the GPOs that are linked to the MyOU organizational unit. You can use this command to set properties of the GPOs by piping its output into other cmdlets. For instance, you can pipe the output to the Set-GPPermissions cmdlet to delegate permissions to administrators of the OU for each of the GPOs linked to the OU.

The GpoLinks property of the SOM object contains a list of all the GPO links for the OU. Each object in this list is of type Microsoft.GroupPolicy.GpoLink.

The collection is piped into a Foreach-Object command, which retrieves each GPO by using the DisplayName property of the GpoLink object.

Microsoft.GroupPolicy.Som

An object that represents a ___domain or an OU.

Microsoft.GroupPolicy.Som

This cmdlet returns an object that represents the ___domain or OU. The GpoInheritanceBlocked property indicates whether inheritance is blocked. You can modify inheritance for the ___domain or OU by using the Set-GPInheritance cmdlet.

• You can use the Domain parameter to explicitly specify the ___domain for this cmdlet.

  If you do not explicitly specify the ___domain, the cmdlet uses a default ___domain. The default ___domain is the ___domain that is used to access network resources by the security context under which the current session is running. This ___domain is typically the ___domain of the user that is running the session. For example, the ___domain of the user who started the session by opening Windows PowerShell from the Program Files menu, or the ___domain of a user that is specified in a runas command. However, computer startup and shutdown scripts run under the context of the LocalSystem account. The LocalSystem account is a built-in local account, and it accesses network resources under the context of the computer account. Therefore, when this cmdlet is run from a startup or shutdown script, the default ___domain is the ___domain to which the computer is joined.