More powershell & group policy

Tuesday, July 27, 2010

I do not know about you but I LOVE PowerShell, especially the Group Policy cmdlets. Unfortunately, I didn’t have too many opportunities to really use them - but luckily got a chance in preparation for a presentation where I would demo a script that Lindsay (from our dev team) put together.

This script allows you to find any Group Policy setting across all of your GPOs in your domain. Lindsay outlines how to use her script in the following blog posts:

Video on TechnetEdge: Searching for settings in a GPO

Checking a setting in all GPO’s (Security ADMX, and more)

Checking a setting in all GPO’s continued (scripts, firewall, GP Preferences and more)

In preparing, however, I encountered something that many of you have already run into: The suspicious lack of a get cmdlet for GPlinks. Executing the get-help *-GPLink* command in a PowerShell window with the GP cmdlets loaded returns the following:

Name                                                    Category                              Synopsis
--------                                                   ------------                            ------------
New-GPLink                                       Cmdlet                                 Links a GPO to a site, domain, o…
Remove-GPLink                                  Cmdlet                                 Removes a GPO link from a site, …
Set-GPLink                                          Cmdlet                                 Sets the properties of the speci…

Where is the Get-GPLink? It does not exist. Well at least it is not included as one of Microsoft’s cmdlets. I have found that a PowerShell function was created by Jeff Hicks in an attempt to fill the void. For my demo, however, I wanted a built-in solution.

After some digging and experimenting, I found a simple way to determine what containers a GPO is linked to and it can be done with only 3 lines of PowerShell script. I used the Active Directory get-ADObject cmdlet combined with the Filter parameter. The filter parameter allows me to use PowerShell Expression language to query AD for the object that I am looking for. The specific thing that I am looking for is any object that has the gPLink property which contains the GUID for the GPO I am interested in.

To do that I first need to get the GUID for the GPO I am interested in:

1. $myGPO = Get-GPO –name {display name of GPO}

2. $myGPOID = “*” + $myGPO.Id + “*”

Then I pass that into the get-ADObject cmdlet to get the FQDNs for all containers that the GPO is attached to:

3. $Path = get-ADObject –Filter {gPLink –Like $myGPOID}

And as simple as that, I have all containers stored in the variable $Path that a specific GPO is linked to.

MarkG

No Comments