Author Posts

February 5, 2018 at 9:40 pm

Having issues with Set-GPInheritance command using variables.

# Root OU in main structure
$RootSite = 'First-Vision'

# Get Root DN
$Root = [ADSI]"LDAP://RootDSE"
$RootPath = $Root.rootDomainNamingContext | Out-String

Set-GPInheritance -Target "OU=Linux,OU=Servers,OU=Computers,OU=$RootSite,$RootPath" -IsBlocked Yes

However, if I use:

Set-GPInheritance -Target "OU=Linux,OU=Servers,OU=Computers,OU=First-Vision,DC=home,DC=lab" -IsBlocked Yes

The command works without error.

The error I am getting only occurs when variables are used, now I have confirmed that the string with variables does point to a valid location and all OU are there.

The error I get is below:

Set-GPInheritance : The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))
At line:1 char:1
+ Set-GPInheritance -Target $t -IsBlocked Yes | Out-Null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-GPInheritance], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.GroupPolicy.Commands.SetGPInheritanceCommand

Any ideas? Is there a bug in the command not allowing variable use?

February 6, 2018 at 6:33 am

Not a bug. AD cmldets are just very particular about how you use them.

Why specify your DistinguishedName manually in some spots then with a variable in another?

Why not just pink a server from the root of what you are after, and parse out the machine CN out of the DistinguishedName results.

    # Get the root DN
    ($OUTargetByMachineDN = (Get-ADComputer -Identity dc01).DistinguishedName)

    # Strip off the machine CN to get the OU target
    ($OUTarget = $OUTargetByMachineDN -replace 'CN=([^,]+).')

    # Get the inheritance of the OUTarget
    Get-GPInheritance -Target $OUTarget

    # Modify the inheritance flag
    Set-GPInheritance -Target $OUTarget -IsBlocked Yes

    # or all in one line
    Set-GPInheritance -Target ((Get-ADComputer -Identity dc01).DistinguishedName -replace 'CN=([^,]+).') -IsBlocked Yes

February 6, 2018 at 3:02 pm

The reason why some are variable and other hard coded is because this is the bottom of an AD configuration script. The entire First-Vision OU is being built above with the option to change that name depending on which data center I am running it on. The entire structure is the same at each site with the exception of that one OU and the domain name.

I do not understand how your above examples would assist in placing inheritance blocks on my specific OUs. It looks as though you are trying to place inheritance blocks on computer objects and not the containers.

February 6, 2018 at 3:05 pm

Ah I do see how you are using the computer objects to obtain the OU. This could work later on but when this will be executed there will be no objects in there.

I will have to try something like this, perhaps:

(Get-ADOrganizationalUnit -Filter 'Name -like "Linux"' | Select-Object DistinguishedName).DistinguishedName

It looks like you are making a query to the domain and using the answer to supply the information is needs. I will test this, thank you.

February 6, 2018 at 3:10 pm

Confirmed, that work. Thanks postanote!