Last time we have seen a few ways to find group policies using PowerShell. Expanding on the same horizon, I would like to share some more thoughts on finding Group Policies linked to AD OUs.
If you haven’t read my previous article on finding group policies, I prefer you go through that first. Here is the link to it.
Find Group Policies Objects in Domain using PowerShell
The previous post is about basics of finding group policies, but how to we find what all policies linked to a particular organization Unit? This can be accomplished by using ActiveDirectory module and GroupPolicy module.
First let us import both the modules
Import-Module ActiveDirectory Import-Module GroupPolicy
The Get-ADOrganizationalUnit cmdlets helps in querying the Active Directory Organization units. It returns AD Object of each OU. One of the property for OU object is LinkedGroupPolicyObjects which contains information about list of policies that are currently linked to the OU. See below example for better understanding.
Get-ADOrganizationalUnit -Filter 'Name -like "*lab*"'
PS C:\> Get-ADOrganizationalUnit -Filter ‘Name -like “*lab*”‘
City :
Country :
DistinguishedName : OU=LAB,DC=techibee,DC=ad
LinkedGroupPolicyObjects : {cn={98CBBC75-DE94-4093-9B46-D4100230849E},cn=policies,cn=system,DC=techibee,DC=ad}
ManagedBy :
Name : LAB
ObjectClass : organizationalUnit
ObjectGUID : dc39b7f3-fa61-400b-aa48-318b5ca959ca
PostalCode :
State :
StreetAddress :
In my case I have only one OU with the name lab so it returned single object. Based on the name of your OU, you may need to fine tune the filter part. As you can see in the output LinkedGroupPolicyObjects attribute is an array of linked Group policy object paths. So, we need to convert these distinguished names (DN) of the Group Policies into display names for better understanding.
There are two ways to do that.
Using Group Policy Module:
Using Group Policy cmdlets query the display name and other information of Group policy object like creation time, modified time, owner of GPO etc. I used a regex to take out the GUID of GPO from the DN and used it for searching the GPO using Get-GPO cmdlet.
$LinkedGPOs = Get-ADOrganizationalUnit -Filter 'Name -like "*lab*"' | select -ExpandProperty LinkedGroupPolicyObjects $GUIDRegex = "{[a-zA-Z0-9]{8}[-][a-zA-Z0-9]{4}[-][a-zA-Z0-9]{4}[-][a-zA-Z0-9]{4}[-][a-zA-Z0-9]{12}}" foreach($LinkedGPO in $LinkedGPOs) { $result = [Regex]::Match($LinkedGPO,$GUIDRegex); if($result.Success) { $GPOGuid = $result.Value.TrimStart("{").TrimEnd("}") Get-GPO -Guid $GPOGuid } }
Using [ADSI]
The information about group policy can also be obtained using the [ADSI] interface. The information returned by this method is properties of Group policy object in active directory. This contains variety of information that you generally see in Active Directory for a GP object. Display Name, Sysvol path of GPO, etc. are available in the output.
$LinkedGPOs = Get-ADOrganizationalUnit -Filter 'Name -like "*lab*"' | select -ExpandProperty LinkedGroupPolicyObjects foreach($LinkedGPO in $LinkedGPOs) { [adsi]"LDAP://$LinkedGPO" | select DisplayName, WhenCreated, WhenChanged, gPCFileSysPath | fl }
Based on your comfort level you can choose one of these methods to query list of Group Policies linked to a OU.
Hope this helps and happy learning…
Comments on this entry are closed.
Thanks! That was extremely helpful.
I am glad to know that it is helpful
$GPLinks = ( Get-ADOrganizationalUnit -Filter * -SearchBase “OU=Servers,DC=Contoso,DC=ru” | Get-GPInheritance ).gpolinks
o_O
This worked well for me thanks 🙂
Thanks for sharing 🙂
I tried your script and it works, but doesn’t show the order of the GPLink !
I tried to alter the code but no luck yet!
Would you please tell us how to add the gplink order as well ?
I agree with Abdel – the output is hard to sift through because it’s not ordered in a way that’s easy to review…
you can determine the order based on gPLink attribute values order. I will produce a post about it soon.
Do you know how to save the output to an array and write it out in a single table instead of individual gets?
Something like below?
$LinkedGPOs = Get-ADOrganizationalUnit -Filter ‘Name -like “*lab*”‘ | select -ExpandProperty LinkedGroupPolicyObjects
$outarr = @()
foreach($LinkedGPO in $LinkedGPOs) {
$output = [adsi]”LDAP://$LinkedGPO” | select DisplayName, WhenCreated, WhenChanged, gPCFileSysPath | fl
$outarr += $output
}
$Outarr
Great final note above from March 12, 2018 regarding better output format,
BUT…
PowerShell is case-sensitive, so the last line should be :
$outarr <– correct
instead of
$Outarr <– incorrect, since you specified "lower-case" first letter in the original variable
PowerShell variables are not case-sensitive. Source : https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_variables?view=powershell-7.1
PS C:\> $test = “techibee”
PS C:\> $Test
techibee
PS C:\> $tEst
techibee
PS C:\>