≡ Menu

Find Group Policies linked to Active Directory OU Using PowerShell

Last time we have seen a few ways to find group policies using PowerShell. Expanding on the same horizon, I would like to share some more thoughts on finding Group Policies linked to AD OUs.

If you haven’t read my previous article on finding group policies, I prefer you go through that first. Here is the link to it.

Find Group Policies Objects in Domain using PowerShell

The previous post is about basics of finding group policies, but how to we find what all policies linked to a particular organization Unit? This can be accomplished by using ActiveDirectory module and GroupPolicy module.

First let us import both the modules

Import-Module ActiveDirectory            
Import-Module GroupPolicy            

The Get-ADOrganizationalUnit cmdlets helps in querying the Active Directory Organization units. It returns AD Object of each OU. One of the property for OU object is LinkedGroupPolicyObjects which contains information about list of policies that are currently linked to the OU. See below example for better understanding.

Get-ADOrganizationalUnit -Filter 'Name -like "*lab*"'

PS C:\> Get-ADOrganizationalUnit -Filter ‘Name -like “*lab*”‘

City :
Country :
DistinguishedName : OU=LAB,DC=techibee,DC=ad
LinkedGroupPolicyObjects : {cn={98CBBC75-DE94-4093-9B46-D4100230849E},cn=policies,cn=system,DC=techibee,DC=ad}
ManagedBy :
Name : LAB
ObjectClass : organizationalUnit
ObjectGUID : dc39b7f3-fa61-400b-aa48-318b5ca959ca
PostalCode :
State :
StreetAddress :

In my case I have only one OU with the name lab so it returned single object. Based on the name of your OU, you may need to fine tune the filter part. As you can see in the output LinkedGroupPolicyObjects attribute is an array of linked Group policy object paths. So, we need to convert these distinguished names (DN) of the Group Policies into display names for better understanding.

There are two ways to do that.

Using Group Policy Module:

Using Group Policy cmdlets query the display name and other information of Group policy object like creation time, modified time, owner of GPO etc. I used a regex to take out the GUID of GPO from the DN and used it for searching the GPO using Get-GPO cmdlet.

$LinkedGPOs = Get-ADOrganizationalUnit -Filter 'Name -like "*lab*"' | select -ExpandProperty LinkedGroupPolicyObjects            
$GUIDRegex = "{[a-zA-Z0-9]{8}[-][a-zA-Z0-9]{4}[-][a-zA-Z0-9]{4}[-][a-zA-Z0-9]{4}[-][a-zA-Z0-9]{12}}"            
            
foreach($LinkedGPO in $LinkedGPOs) {            
    $result = [Regex]::Match($LinkedGPO,$GUIDRegex);            
    if($result.Success) {            
        $GPOGuid = $result.Value.TrimStart("{").TrimEnd("}")            
        Get-GPO -Guid $GPOGuid            
    }            
            
}

Using [ADSI]

The information about group policy can also be obtained using the [ADSI] interface. The information returned by this method is properties of Group policy object in active directory. This contains variety of information that you generally see in Active Directory for a GP object. Display Name, Sysvol path of GPO, etc. are available in the output.

$LinkedGPOs = Get-ADOrganizationalUnit -Filter 'Name -like "*lab*"' | select -ExpandProperty LinkedGroupPolicyObjects            
            
foreach($LinkedGPO in $LinkedGPOs) {             
[adsi]"LDAP://$LinkedGPO" | select DisplayName, WhenCreated, WhenChanged, gPCFileSysPath | fl             
            
}

Based on your comfort level you can choose one of these methods to query list of Group Policies linked to a OU.

Hope this helps and happy learning…

Comments on this entry are closed.

  • Kristoffer Dover October 20, 2014, 10:13 pm

    Thanks! That was extremely helpful.

  • Ilya January 7, 2017, 2:31 am

    $GPLinks = ( Get-ADOrganizationalUnit -Filter * -SearchBase “OU=Servers,DC=Contoso,DC=ru” | Get-GPInheritance ).gpolinks

    o_O

    • Bubble May 16, 2017, 1:09 pm

      This worked well for me thanks 🙂

  • Abdel January 19, 2017, 3:41 am

    Thanks for sharing 🙂
    I tried your script and it works, but doesn’t show the order of the GPLink !
    I tried to alter the code but no luck yet!

    Would you please tell us how to add the gplink order as well ?

    • Shuey November 9, 2017, 2:36 am

      I agree with Abdel – the output is hard to sift through because it’s not ordered in a way that’s easy to review…

      • Wintel Rocks November 12, 2017, 9:39 pm

        you can determine the order based on gPLink attribute values order. I will produce a post about it soon.

  • GPO Admin March 12, 2018, 6:34 am

    Do you know how to save the output to an array and write it out in a single table instead of individual gets?

    • Wintel Rocks March 12, 2018, 3:20 pm

      Something like below?

      $LinkedGPOs = Get-ADOrganizationalUnit -Filter ‘Name -like “*lab*”‘ | select -ExpandProperty LinkedGroupPolicyObjects
      $outarr = @()
      foreach($LinkedGPO in $LinkedGPOs) {
      $output = [adsi]”LDAP://$LinkedGPO” | select DisplayName, WhenCreated, WhenChanged, gPCFileSysPath | fl
      $outarr += $output

      }
      $Outarr

  • James Method March 16, 2021, 12:14 am

    Great final note above from March 12, 2018 regarding better output format,
    BUT…
    PowerShell is case-sensitive, so the last line should be :
    $outarr <– correct
    instead of
    $Outarr <– incorrect, since you specified "lower-case" first letter in the original variable