Do you need to get an overview of the GPO’s and the GPO links in Active Directory?
Don’t worry! You’re only a few lines of PowerShell away from reaching your goal.
To retrieve all GPO’s you can use the following line:
Get-GPO -All
However, the resulting list of objects does not give away detailed information like GPO links, the enabled state of user/computer settings, etc.
To get the full information you need to generate a GPO report. The report type should be XML to allow you direct access to the GPO properties.
The following code gets an XML report of the first GPO:
[xml]$Report = (Get-GPO -All)[0] | Get-GPOReport -ReportType XM
- [xml]$Report = (Get-GPO -All)[0] | Get-GPOReport -ReportType XML
As you can see in the below output you can drill down in the properties of the $Report object to retrieve various information:
PS C:\> $Report xml GPO --- --- version="1.0" encoding="utf-16" GPO PS C:\> $Report.GPo xsd : http://www.w3.org/2001/XMLSchema xsi : http://www.w3.org/2001/XMLSchema-instance xmlns : http://www.microsoft.com/GroupPolicy/Settings Identifier : Identifier Name : Desktop Configuration IncludeComments : true CreatedTime : 2020-08-10T15:29:52 ModifiedTime : 2020-08-10T15:29:52 ReadTime : 2020-11-17T10:42:00.3701415Z SecurityDescriptor : SecurityDescriptor FilterDataAvailable : true Computer : Computer User : User LinksTo : LinksTo PS C:\> $Report.GPo.LinksTo SOMName SOMPath Enabled NoOverride ------- ------- ------- ---------- Denmark gigacorp.local/GigaCorp_Users/Denmark true false
Obviously, now we have all the information needed to produce a script that lists all links for all GPO’s in your domain.
It could look like this:
$GPOs = Get-GPO -All
$OutputFile = ".\GPOList.txt"
"Name;LinkPath;ComputerEnabled;UserEnabled;WmiFilter" | Out-File $OutputFile
$GPOs | % {
[xml]$Report = $_ | Get-GPOReport -ReportType XML
$Links = $Report.GPO.LinksTo
ForEach($Link In $Links){
$Output = $Report.GPO.Name + ";" + $Link.SOMPath + ";" + $Report.GPO.Computer.Enabled + ";" + $Report.GPO.User.Enabled + ";" + $_.WmiFilter.Name
$Output | Out-File $OutputFile -Append
}
}
The output file will list one line for each GPO link, stating the following information:
- the GPO name
- the GPO link
- the computer settings enabled status
- the user settings enabled status
- the name of the WMI filter (if one exists)
Adjust the script according to your needs. Have fun!