In my previous post, we explored the way to identify list of group policies linked to a particular Active Directory OU. While it serves the purpose, there are few details missing there like whether GPO is enabled, enforced, what is the order of the GPO, etc.
Articles related to working with Group Policies using PowerShell
- Find Group Policies Objects in Domain using PowerShell
- Find Group Policies linked to Active Directory OU Using PowerShell
The applicability of Group Policy object on an Active Directory OU completely replies on status of Group Policy link on that OU. If the status of Group Policy link is in enabled state, then policy will get applied. If the status is disabled, policy is not applicable for members inside that OU. Below screen shot shows the link enable status of a Group Policy on LAB OU from GPMC editor.
When the GPO link is disabled, it appears like below in GPMC editor.
Similarly enforced option has its significance to decide policy applicability.
So let us see how we can identify the link status, enforcement status and order of a Group Policy object on a OU using PowerShell since this these plays vital role in deciding the GPO applicability to objects inside that OU>
In my previous post, I used a property called LinkedGroupPolicyObjects to retrieve list of linked Group Policies on OU. There is another property called gPLink which gives more details about the policy that is linked. The values inside gPlink property talks about list of policies, their order, link enable status, enforce status. The format of gplink property looks like below.
[<GPO DN_1>;<GPLinkOptions_1>][<GPO DN_2>;<GPLinkOptions_2>]… [<GPODN_n>;<GPLinkOptions_n>]
Where GPO DN is the distinguished name of the GPO and GPLinkOptions represent the GPO enabled and enforcement status. Also first DN in the string has high precedence order while the last one has low precedence order. You can find more details about this structure at http://msdn.microsoft.com/en-us/library/cc232505.aspx
The below script take a OU name, searches active directory for OUs having that name, queries the group policies linked to that OU, identifies link status, enforcement status, order details and returns the information in Object format.
Code:
[cmdletbinding()] param( [string]$OUName ) $OUs = @(Get-ADOrganizationalUnit -Filter * -Properties gPlink | ? {$_.Name -eq "$OUName"}) #Return if no OUs found with given name if(!$OU) { Write-Warning "No such OU found"; return } foreach($OU in $OUs) { $OUName = $OU.Name $OUDN = $OU.DistinguishedName #Hackey way to get LDAP strings. Regex might be best option here $OUGPLinks = $OU.gPlink.split("][") #Get rid of all empty entries the array $OUGPLinks = @($OUGPLinks | ? {$_}) $order = $OUGPLinks.count; foreach($GpLink in $OUGPLinks) { $GpName = [adsi]$GPlink.split(";")[0] | select -ExpandProperty displayName $GpStatus = $GPlink.split(";")[1] $EnableStatus = $EnforceStatus = 0 switch($GPStatus) { "1" {$EnableStatus = $false; $EnforceStatus = $false} "2" {$EnableStatus = $true; $EnforceStatus = $true} "3" {$EnableStatus = $false; $EnforceStatus = $true} "0" {$EnableStatus = $true; $EnforceStatus = $false} } $OutputObj = New-Object -TypeName PSobject $OutputObj | Add-Member -MemberType NoteProperty -Name OUName -Value $OUName $OutputObj | Add-Member -MemberType NoteProperty -Name OUDN -Value $OUDN $OutputObj | Add-Member -MemberType NoteProperty -Name GPName -Value $GPName $OutputObj | Add-Member -MemberType NoteProperty -Name IsLinked -Value $EnableStatus $OutputObj | Add-Member -MemberType NoteProperty -Name IsEnforced -Value $EnforceStatus $OutputObj | Add-Member -MemberType NoteProperty -Name GPOrder -Value $Order $OutputObj $order-- } }
Output:
The output is easy to understand. It mentions about OU name, its DN, policy name, link status, enforcement status, and order of the GPO that you see in GPMC console.
Hope this helps.. stay tuned for more articles in future.
This script is also available at technet library (http://gallery.technet.microsoft.com/Get-GPO-link-status-a6e5fe7e)