Get-GPlink function V1.3

  • Article

Hi all

As promised I return to you with an updated version of my function get-gplink.
Here is the list of what is changed from version 1.0:

New set of switches:

-path: DN of the object you want to get the gplink information
-site: Just to indicate that you are running the command against a site object. This will change the internal process to target the Configuration partition.
- server: if you are running the command from a domain that is different from the target domain of your command, you will need to specify a DC of that target domain

Compatibility with .NET 3.5:

    Turns out that version 1.0 was using some code that only .NET4 could handle.

New information returned:

If you recall version 1.0 could not return information about a GPO originating from a different domain and was returned the same as an "Orphaned Gplink".
Version 1.3 can now get that information and also return the originating domain of the GPO.
This means that anything that is reported as "Orphaned Gplink" is now a real orphaned.

To register that new version of get-gplink just run the command ". .\get-gplink_v1.3.ps1"
It will replace the get-gplink you might have been using.

Check the get-help of the function. I have changed a bit the output. Instead of "path", you get "Target" and "GPOGUID" has been changed into "gpoid" and"GPOName" to "DisplayName".This is to aligned with the "set-gplink" and "new-gplink" cmdlets.

  • Get Gplink on the OU "domain controllers" of contoso.com

  • Get gplink on the OU "domain controllers" of domain child.contoso.com

  • Get gplink on Site "Site1"

Bonus:

So, while I was working on improving my code, I spent time looking into what the cmdlet "get-gpinheritance" could do.. and guess what, it can actually do most of what my code does.

I say most of because while it is on average faster than my code (I could probably improve that), it does not give all the information I found relevant to gplinks.

Here is an example:

I have GPOs linked at the OU "Domain Controllers"

As you can see one of them is an Orphaned Gplink and the others are normal GPos.

The command you can use with get-gpinheritance is this one:

And here is the result:

As you can see, we have the order, the Enabled, Enforced, GPOID and name. As expected we have one GPO with no name as it is an Orphaned Gplink

Now here is what you get when you use my code:

You still get the same order, Enforced and Enabled status, but you also get more information:

  1. Instead of a blank name you get "orphaned-gplink". A bit more explicite than a "blank" space
  2. If you look closely at the "GHC_U_Disabled_GPO_Test_1" GPO, you will noticed that it is not a GPO from "contoso.com" but from the domain "child.contoso.com"

The fact that I don't have those information with the get-gpinheritance makes it hard to use that command in some cases.
As an example, I would have found it very useful to help me backup that order information and backup the GPO at the same time, but because I do not have the "originating" domain, I cannot use the output to pipe it to a "backup-gpo" cmdlet.

Also if you look at the command "set-gplink", it can manage linking GPOs from a remote domain by using the switch "domain". The output my code provides can simply be re-used entirely by the "set-gplink".

 

One other thing that you can get with the get-gpinheritance cmdlet is the gpo inheritance (make sense no?)

So the almost same command

will give you this

I have not implemented that in my code and probably won't.

However the get-inheritance cmdlet does not work on the Configuration partition and will not report Site linked GPOs.

 

Conclusion:

Instead of a simple update to my code, this time I will provide you with 2 bits of code:

Get-gplink_V1.3.ps1:

My code that gives a bit more information on the GPO links.

 

Get-gplink_SD.ps1 (SD as in single domain):

A much simpler version of the function that is in fact derived from the get-gpinheritance

 

You can find them here