Set-GPInheritance Bug?

Welcome Forums General PowerShell Q&A Set-GPInheritance Bug?

This topic contains 4 replies, has 2 voices, and was last updated by

 
Participant
9 months, 1 week ago.

  • Author
    Posts
  • #93033

    Participant
    Points: 1
    Rank: Member

    Having issues with Set-GPInheritance command using variables.

    # Root OU in main structure
    $RootSite = 'First-Vision'
    
    # Get Root DN
    $Root = [ADSI]"LDAP://RootDSE"
    $RootPath = $Root.rootDomainNamingContext | Out-String
    
    Set-GPInheritance -Target "OU=Linux,OU=Servers,OU=Computers,OU=$RootSite,$RootPath" -IsBlocked Yes

    However, if I use:

    Set-GPInheritance -Target "OU=Linux,OU=Servers,OU=Computers,OU=First-Vision,DC=home,DC=lab" -IsBlocked Yes

    The command works without error.

    The error I am getting only occurs when variables are used, now I have confirmed that the string with variables does point to a valid location and all OU are there.

    The error I get is below:

    Set-GPInheritance : The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))
    At line:1 char:1
    + Set-GPInheritance -Target $t -IsBlocked Yes | Out-Null
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Set-GPInheritance], COMException
        + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.GroupPolicy.Commands.SetGPInheritanceCommand

    Any ideas? Is there a bug in the command not allowing variable use?

  • #93039

    Participant
    Points: 225
    Helping Hand
    Rank: Participant

    Not a bug. AD cmldets are just very particular about how you use them.

    Why specify your DistinguishedName manually in some spots then with a variable in another?

    Why not just pink a server from the root of what you are after, and parse out the machine CN out of the DistinguishedName results.

        # Get the root DN
        ($OUTargetByMachineDN = (Get-ADComputer -Identity dc01).DistinguishedName)
    
        # Strip off the machine CN to get the OU target
        ($OUTarget = $OUTargetByMachineDN -replace 'CN=([^,]+).')
    
        # Get the inheritance of the OUTarget
        Get-GPInheritance -Target $OUTarget
    
        # Modify the inheritance flag
        Set-GPInheritance -Target $OUTarget -IsBlocked Yes
    
        # or all in one line
        Set-GPInheritance -Target ((Get-ADComputer -Identity dc01).DistinguishedName -replace 'CN=([^,]+).') -IsBlocked Yes
    
  • #93069

    Participant
    Points: 1
    Rank: Member

    The reason why some are variable and other hard coded is because this is the bottom of an AD configuration script. The entire First-Vision OU is being built above with the option to change that name depending on which data center I am running it on. The entire structure is the same at each site with the exception of that one OU and the domain name.

    I do not understand how your above examples would assist in placing inheritance blocks on my specific OUs. It looks as though you are trying to place inheritance blocks on computer objects and not the containers.

  • #93075

    Participant
    Points: 1
    Rank: Member

    Ah I do see how you are using the computer objects to obtain the OU. This could work later on but when this will be executed there will be no objects in there.

    I will have to try something like this, perhaps:

    (Get-ADOrganizationalUnit -Filter 'Name -like "Linux"' | Select-Object DistinguishedName).DistinguishedName

    It looks like you are making a query to the domain and using the answer to supply the information is needs. I will test this, thank you.

  • #93078

    Participant
    Points: 1
    Rank: Member

    Confirmed, that work. Thanks postanote!

The topic ‘Set-GPInheritance Bug?’ is closed to new replies.