More powershell & group policy
I do not know about you but I LOVE PowerShell, especially the Group Policy cmdlets. Unfortunately, I didn’t have too many opportunities to really use them - but luckily got a chance in preparation for a presentation where I would demo a script that Lindsay (from our dev team) put together.
This script allows you to find any Group Policy setting across all of your GPOs in your domain. Lindsay outlines how to use her script in the following blog posts:
Video on TechnetEdge: Searching for settings in a GPO
Checking a setting in all GPO’s (Security ADMX, and more)
Checking a setting in all GPO’s continued (scripts, firewall, GP Preferences and more)
In preparing, however, I encountered something that many of you have already run into: The suspicious lack of a get cmdlet for GPlinks. Executing the get-help *-GPLink* command in a PowerShell window with the GP cmdlets loaded returns the following:
Name Category Synopsis
-------- ------------ ------------
New-GPLink Cmdlet Links a GPO to a site, domain, o…
Remove-GPLink Cmdlet Removes a GPO link from a site, …
Set-GPLink Cmdlet Sets the properties of the speci…
Where is the Get-GPLink? It does not exist. Well at least it is not included as one of Microsoft’s cmdlets. I have found that a PowerShell function was created by Jeff Hicks in an attempt to fill the void. For my demo, however, I wanted a built-in solution.
After some digging and experimenting, I found a simple way to determine what containers a GPO is linked to and it can be done with only 3 lines of PowerShell script. I used the Active Directory get-ADObject cmdlet combined with the Filter parameter. The filter parameter allows me to use PowerShell Expression language to query AD for the object that I am looking for. The specific thing that I am looking for is any object that has the gPLink property which contains the GUID for the GPO I am interested in.
To do that I first need to get the GUID for the GPO I am interested in:
1. $myGPO = Get-GPO –name {display name of GPO}
2. $myGPOID = “*” + $myGPO.Id + “*”
Then I pass that into the get-ADObject cmdlet to get the FQDNs for all containers that the GPO is attached to:
3. $Path = get-ADObject –Filter {gPLink –Like $myGPOID}
And as simple as that, I have all containers stored in the variable $Path that a specific GPO is linked to.
MarkG