Using PowerShell to find Computer objects in AD that have inheritance disabled

I needed to find the computer objects in an AD OU that had inheritance disabled. Did the following:

Get-ADComputer -SearchBase "OU=something,DC=myDomain,DC=com" -Filter * | ?{ 
  $Computer=$_.DistinguishedName; 
  (Get-Acl "AD:\$Computer").AreAccessRulesProtected -eq $True } | ft Name

Get-ADComputer -SearchBase "OU=something,DC=myDomain,DC=com" -Filter * | ?{

$Computer=$_.DistinguishedName;

(Get-Acl "AD:\$Computer").AreAccessRulesProtected -eq $True } | ft Name

And to extend this to enable inheritance on the affected objects:

Get-ADComputer -SearchBase "OU=something,DC=myDomain,DC=com" -Filter * | %{ 
  $Computer=$_.DistinguishedName; 
  $ACL=(Get-Acl "AD:\$Computer"); 
  if ($ACL.AreAccessRulesProtected -eq $True) { 
    $ACL.SetAccessRuleProtection($False,$True)
    Set-ACL "AD:\$Computer" -AclObject $ACL
  }
}

Get-ADComputer -SearchBase "OU=something,DC=myDomain,DC=com" -Filter * | %{

$Computer=$_.DistinguishedName;

$ACL=(Get-Acl "AD:\$Computer");

if ($ACL.AreAccessRulesProtected -eq $True) {

$ACL.SetAccessRuleProtection($False,$True)

Set-ACL "AD:\$Computer" -AclObject $ACL

}

Update (16th June 2022):

Reader Aleksey Avdeev sent the following one-liner:

Get-ADComputer -SearchBase (Get-ADDomain).DistinguishedName -Filter * -Properties nTSecurityDescriptor | ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected  } | ft SamAccountName,Name

1	Get-ADComputer -SearchBase (Get-ADDomain).DistinguishedName -Filter * -Properties nTSecurityDescriptor \| ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected } \| ft SamAccountName,Name

Nice one! Way better than the one I came up with. I didn’t realize you could just pull the ntSecurityDescriptor property and query that. I also like how he gets the DN of the domain from Get-ADDOmain.

Also, as an FYI the same cmdlet can be run for users too via Get-ADUser instead of Get-ADComputer.