February 5, 2018 at 9:40 pm #93033
Having issues with Set-GPInheritance command using variables.
# Root OU in main structure $RootSite = 'First-Vision' # Get Root DN $Root = [ADSI]"LDAP://RootDSE" $RootPath = $Root.rootDomainNamingContext | Out-String Set-GPInheritance -Target "OU=Linux,OU=Servers,OU=Computers,OU=$RootSite,$RootPath" -IsBlocked Yes
However, if I use:
Set-GPInheritance -Target "OU=Linux,OU=Servers,OU=Computers,OU=First-Vision,DC=home,DC=lab" -IsBlocked Yes
The command works without error.
The error I am getting only occurs when variables are used, now I have confirmed that the string with variables does point to a valid location and all OU are there.
The error I get is below:
Set-GPInheritance : The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE)) At line:1 char:1 + Set-GPInheritance -Target $t -IsBlocked Yes | Out-Null + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Set-GPInheritance], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.GroupPolicy.Commands.SetGPInheritanceCommand
Any ideas? Is there a bug in the command not allowing variable use?
February 6, 2018 at 6:33 am #93039
Not a bug. AD cmldets are just very particular about how you use them.
Why specify your DistinguishedName manually in some spots then with a variable in another?
Why not just pink a server from the root of what you are after, and parse out the machine CN out of the DistinguishedName results.
# Get the root DN ($OUTargetByMachineDN = (Get-ADComputer -Identity dc01).DistinguishedName) # Strip off the machine CN to get the OU target ($OUTarget = $OUTargetByMachineDN -replace 'CN=([^,]+).') # Get the inheritance of the OUTarget Get-GPInheritance -Target $OUTarget # Modify the inheritance flag Set-GPInheritance -Target $OUTarget -IsBlocked Yes # or all in one line Set-GPInheritance -Target ((Get-ADComputer -Identity dc01).DistinguishedName -replace 'CN=([^,]+).') -IsBlocked Yes
February 6, 2018 at 3:02 pm #93069
The reason why some are variable and other hard coded is because this is the bottom of an AD configuration script. The entire First-Vision OU is being built above with the option to change that name depending on which data center I am running it on. The entire structure is the same at each site with the exception of that one OU and the domain name.
I do not understand how your above examples would assist in placing inheritance blocks on my specific OUs. It looks as though you are trying to place inheritance blocks on computer objects and not the containers.
February 6, 2018 at 3:05 pm #93075
Ah I do see how you are using the computer objects to obtain the OU. This could work later on but when this will be executed there will be no objects in there.
I will have to try something like this, perhaps:
(Get-ADOrganizationalUnit -Filter 'Name -like "Linux"' | Select-Object DistinguishedName).DistinguishedName
It looks like you are making a query to the domain and using the answer to supply the information is needs. I will test this, thank you.
February 6, 2018 at 3:10 pm #93078
Confirmed, that work. Thanks postanote!
You must be logged in to reply to this topic.