≡ Menu

Find link status and enforcement status of Group policies using PowerShell

In my previous post, we explored the way to identify list of group policies linked to a particular Active Directory OU. While it serves the purpose, there are few details missing there like whether GPO is enabled, enforced, what is the order of the GPO, etc.

Articles related to working with Group Policies using PowerShell

  1. Find Group Policies Objects in Domain using PowerShell
  2. Find Group Policies linked to Active Directory OU Using PowerShell

The applicability of Group Policy object on an Active Directory OU completely replies on status of Group Policy link on that OU. If the status of Group Policy link is in enabled state, then policy will get applied. If the status is disabled, policy is not applicable for members inside that OU. Below screen shot shows the link enable status of a Group Policy on LAB OU from GPMC editor.

GPO-Link-Enabled

When the GPO link is disabled, it appears like below in GPMC editor.

GPO-Link-disabled

Similarly enforced option has its significance to decide policy applicability.

So let us see how we can identify the link status, enforcement status and order of a Group Policy object on a OU using PowerShell since this these plays vital role in deciding the GPO applicability to objects inside that OU>

In my previous post, I used a property called LinkedGroupPolicyObjects to retrieve list of linked Group Policies on OU. There is another property called gPLink which gives more details about the policy that is linked. The values inside gPlink property talks about list of policies, their order, link enable status, enforce status. The format of gplink property looks like below.

[<GPO DN_1>;<GPLinkOptions_1>][<GPO DN_2>;<GPLinkOptions_2>]… [<GPODN_n>;<GPLinkOptions_n>]

Where GPO DN is the distinguished name of the GPO and GPLinkOptions represent the GPO enabled and enforcement status. Also first DN in the string has high precedence order while the last one has low precedence order. You can find more details about this structure at http://msdn.microsoft.com/en-us/library/cc232505.aspx

The below script take a OU name, searches active directory for OUs having that name, queries the group policies linked to that OU, identifies link status, enforcement status, order details and returns the information in Object format.

Code:

[cmdletbinding()]            
param(            
 [string]$OUName            
)            
$OUs = @(Get-ADOrganizationalUnit -Filter * -Properties gPlink | ? {$_.Name -eq "$OUName"})            
#Return if no OUs found with given name            
if(!$OU) { Write-Warning "No such OU found"; return }            
            
foreach($OU in $OUs) {            
 $OUName = $OU.Name            
 $OUDN = $OU.DistinguishedName            
 #Hackey way to get LDAP strings. Regex might be best option here            
 $OUGPLinks = $OU.gPlink.split("][")            
 #Get rid of all empty entries the array            
 $OUGPLinks =  @($OUGPLinks | ? {$_})            
 $order = $OUGPLinks.count;            
 foreach($GpLink in $OUGPLinks) {            
   $GpName = [adsi]$GPlink.split(";")[0] | select -ExpandProperty displayName            
   $GpStatus = $GPlink.split(";")[1]            
   $EnableStatus = $EnforceStatus = 0            
   switch($GPStatus) {            
    "1" {$EnableStatus = $false; $EnforceStatus = $false}            
    "2" {$EnableStatus = $true; $EnforceStatus = $true}            
    "3" {$EnableStatus = $false; $EnforceStatus = $true}            
    "0" {$EnableStatus = $true; $EnforceStatus = $false}            
   }            
   $OutputObj = New-Object -TypeName PSobject            
   $OutputObj | Add-Member -MemberType NoteProperty -Name OUName -Value $OUName            
   $OutputObj | Add-Member -MemberType NoteProperty -Name OUDN -Value $OUDN            
   $OutputObj | Add-Member -MemberType NoteProperty -Name GPName -Value $GPName            
   $OutputObj | Add-Member -MemberType NoteProperty -Name IsLinked -Value $EnableStatus            
   $OutputObj | Add-Member -MemberType NoteProperty -Name IsEnforced -Value $EnforceStatus            
   $OutputObj | Add-Member -MemberType NoteProperty -Name GPOrder -Value $Order            
   $OutputObj            
   $order--            
 }            
            
}            
            
            
            

Output:

Group Policy link status

The output is easy to understand. It mentions about OU name, its DN, policy name, link status, enforcement status, and order of the GPO that you see in GPMC console.

gpo status in gpmc

Hope this helps.. stay tuned for more articles in future.

This script is also available at technet library (http://gallery.technet.microsoft.com/Get-GPO-link-status-a6e5fe7e)

Comments on this entry are closed.