@@ -11164,7 +11164,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
1116411164 $ObjectOUs = @()
1116511165 $ObjectOUs += $ObjectDN.split(',') | ForEach-Object {
1116611166 if($_.startswith('OU=')) {
11167- $ObjectDN.SubString($ObjectDN.IndexOf($_ ))
11167+ $ObjectDN.SubString($ObjectDN.IndexOf("$($_)," ))
1116811168 }
1116911169 }
1117011170 Write-Verbose "[Get-DomainGPO] object OUs: $ObjectOUs"
@@ -11174,13 +11174,28 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
1117411174 $SearcherArguments.Remove('Properties')
1117511175 $InheritanceDisabled = $False
1117611176 ForEach($ObjectOU in $ObjectOUs) {
11177- if ($InheritanceDisabled) { break }
1117811177 $SearcherArguments['Identity'] = $ObjectOU
1117911178 $GPOAdsPaths += Get-DomainOU @SearcherArguments | ForEach-Object {
1118011179 # extract any GPO links for this particular OU the computer is a part of
11181- $_.gplink.split('][') | ForEach-Object {
11182- if ($_.startswith('LDAP')) {
11183- $_.split(';')[0]
11180+ if ($_.gplink) {
11181+ $_.gplink.split('][') | ForEach-Object {
11182+ if ($_.startswith('LDAP')) {
11183+ $Parts = $_.split(';')
11184+ $GpoDN = $Parts[0]
11185+ $Enforced = $Parts[1]
11186+
11187+ if ($InheritanceDisabled) {
11188+ # if inheritance has already been disabled and this GPO is set as "enforced"
11189+ # then add it, otherwise ignore it
11190+ if ($Enforced -eq 2) {
11191+ $GpoDN
11192+ }
11193+ }
11194+ else {
11195+ # inheritance not marked as disabled yet
11196+ $GpoDN
11197+ }
11198+ }
1118411199 }
1118511200 }
1118611201
0 commit comments