Performancing Metrics

More powershell & group policy - Group Policy Team Blog - Site Home - TechNet Blogs

More powershell & group policy

More powershell & group policy

  • Comments 4
  • Likes

I do not know about you but I LOVE PowerShell, especially the Group Policy cmdlets. Unfortunately, I didn’t have too many opportunities to really use them - but luckily got a chance in preparation for a presentation where I would demo a script that Lindsay (from our dev team) put together.

This script allows you to find any Group Policy setting across all of your GPOs in your domain. Lindsay outlines how to use her script in the following blog posts:

Video on TechnetEdge: Searching for settings in a GPO

Checking a setting in all GPO’s (Security ADMX, and more)

Checking a setting in all GPO’s continued (scripts, firewall, GP Preferences and more)

In preparing, however, I encountered something that many of you have already run into: The suspicious lack of a get cmdlet for GPlinks.  Executing the get-help *-GPLink* command in a PowerShell window with the GP cmdlets loaded returns the following:

Name                                                    Category                              Synopsis
--------                                                   ------------                            ------------
New-GPLink                                       Cmdlet                                 Links a GPO to a site, domain, o…
Remove-GPLink                                  Cmdlet                                 Removes a GPO link from a site, …
Set-GPLink                                          Cmdlet                                 Sets the properties of the speci…

Where is the Get-GPLink? It does not exist. Well at least it is not included as one of Microsoft’s cmdlets. I have found that a PowerShell function was created by Jeff Hicks in an attempt to fill the void. For my demo, however, I wanted a built-in solution.

After some digging and experimenting, I found a simple way to determine what containers a GPO is linked to and it can be done with only 3 lines of PowerShell script. I used the Active Directory get-ADObject cmdlet combined with the Filter parameter. The filter parameter allows me to use PowerShell Expression language to query AD for the object that I am looking for. The specific thing that I am looking for is any object that has the gPLink property which contains the GUID for the GPO I am interested in.

To do that I first need to get the GUID for the GPO I am interested in:

1.       $myGPO = Get-GPO –name {display name of GPO}

2.       $myGPOID = “*” + $myGPO.Id + “*”

Then I pass that into the get-ADObject cmdlet to get the FQDNs for all containers that the GPO is attached to:

3.       $Path = get-ADObject –Filter {gPLink –Like $myGPOID}

And as simple as that, I have all containers stored in the variable $Path that a specific GPO is linked to.

MarkG

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Please delete if inappropriate;

    Regarding the post, I cannot comment anymore, 'Tales from the Community: Enforced vs. Block Inheritance'. there's an error in the text.

    Statement about Block Inheritance':

    "GPOs from levels higher than IT-OU will simply be ignored. Even GPOs from the same level, such as OULevel2-GPO, will."

    To my knowledge the second sentence is in error, GPO's from the same level will not be ignored and thus be applied.

    Regards,

    Arian van der Pijl

  • Hi,

    I am in search of some assistance with scripting modifications to a GPO.

    The policy we want to modify is 'Folder Redirection'. Could you please post some sample code for modiying this Policy Extension?

    We would like to be able to add multiple locations. Here's an extract of the XML report of the GPO:

    <ExtensionData>

         <Extension xmlns:q4="www.microsoft.com/.../FolderRedirection" xsi:type="q4:FolderRedirectionSettings">

           <q4:Folder>

             <q4:Id>{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}</q4:Id>

             <q4:Location>

               <q4:DestinationPath>\\srvfs01\demo.mycompany.com$\%USERNAME%\AppData\Roaming</q4:DestinationPath>

               <q4:SecurityGroup>

                 <SID xmlns="www.microsoft.com/.../SID>

                 <Name xmlns="www.microsoft.com/.../Types">MyDomain\Allusers@demo.mycompany.com</Name>

               </q4:SecurityGroup>

             </q4:Location>

             <q4:Location>

               <q4:DestinationPath>\\srvfs01\demo2.mycompany.com$\%USERNAME%\AppData\Roaming</q4:DestinationPath>

               <q4:SecurityGroup>

                 <SID xmlns="www.microsoft.com/.../SID>

                 <Name xmlns="www.microsoft.com/.../Types">MyDomain\Admins@demo2.mycompany.com</Name>

               </q4:SecurityGroup>

             </q4:Location>

             <q4:GrantExclusiveRights>true</q4:GrantExclusiveRights>

             <q4:MoveContents>true</q4:MoveContents>

             <q4:FollowParent>false</q4:FollowParent>

             <q4:ApplyToDownLevel>false</q4:ApplyToDownLevel>

             <q4:DoNotCare>false</q4:DoNotCare>

             <q4:RedirectToLocal>false</q4:RedirectToLocal>

             <q4:PolicyRemovalBehavior>LeaveContents</q4:PolicyRemovalBehavior>

           </q4:Folder>

         </Extension>

         <Name>Folder Redirection</Name>

       </ExtensionData>

    P.S: When I try searching for the FolderRedirection settings:

    .\SearchGPOsForSetting.ps1 -IsComputerConfiguration $false -Extension FolderRedirection -Where GrantExclusiveRights -Is true

    I get the following error:

    Cannot validate argument on parameter 'Name'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.

    At C:\temp\SearchGPOsForSetting.ps1:line:59 char:52

    + $lookingFor = Get-Member -InputObject $node -Name <<<< $thePropertyWeWant;

    What am i doing wrong here?

    Thank you in advance.

    Kind regards,

    Rob Pellicaan

  • grimson,

    Let me check on this and get back to you. Thanks for letting me know!

    Robp,

    Let me take a look & let you know.

  • Thank you for this script, it is very good. The script 'SearchGPOsForSetting.ps1' attached to your example posts is missing a few closing ')' at the beginning, FYI.