Get GPO Links With PowerShell

GPO links powershell

Do you need to get an overview of the GPO’s and the GPO links in Active Directory?

Don’t worry! You’re only a few lines of PowerShell away from reaching your goal.

To retrieve all GPO’s you can use the following line:

Get-GPO -All

However, the resulting list of objects does not give away detailed information like GPO links, the enabled state of user/computer settings, etc.

To get the full information you need to generate a GPO report. The report type should be XML to allow you direct access to the GPO properties.

The following code gets an XML report of the first GPO:

[xml]$Report = (Get-GPO -All)[0] | Get-GPOReport -ReportType XM
  1. [xml]$Report = (Get-GPO -All)[0] | Get-GPOReport -ReportType XML

As you can see in the below output you can drill down in the properties of the $Report object to retrieve various information:

PS C:\> $Report
xml                             GPO
---                             ---
version="1.0" encoding="utf-16" GPO

PS C:\> $Report.GPo

xsd                 : http://www.w3.org/2001/XMLSchema
xsi                 : http://www.w3.org/2001/XMLSchema-instance
xmlns               : http://www.microsoft.com/GroupPolicy/Settings
Identifier          : Identifier
Name                : Desktop Configuration
IncludeComments     : true
CreatedTime         : 2020-08-10T15:29:52
ModifiedTime        : 2020-08-10T15:29:52
ReadTime            : 2020-11-17T10:42:00.3701415Z
SecurityDescriptor  : SecurityDescriptor
FilterDataAvailable : true
Computer            : Computer
User                : User
LinksTo             : LinksTo

PS C:\> $Report.GPo.LinksTo
SOMName SOMPath                               Enabled NoOverride
------- -------                               ------- ----------
Denmark gigacorp.local/GigaCorp_Users/Denmark true    false

Obviously, now we have all the information needed to produce a script that lists all links for all GPO’s in your domain.

It could look like this:

    $GPOs = Get-GPO -All
    $OutputFile = ".\GPOList.txt"
    "Name;LinkPath;ComputerEnabled;UserEnabled;WmiFilter" | Out-File $OutputFile
    $GPOs | % {
     [xml]$Report = $_ | Get-GPOReport -ReportType XML
     $Links = $Report.GPO.LinksTo
     ForEach($Link In $Links){
     $Output = $Report.GPO.Name + ";" + $Link.SOMPath + ";" + $Report.GPO.Computer.Enabled + ";" + $Report.GPO.User.Enabled + ";" + $_.WmiFilter.Name
     $Output | Out-File $OutputFile -Append
     }
    }

The output file will list one line for each GPO link, stating the following information:

  • the GPO name
  • the GPO link
  • the computer settings enabled status
  • the user settings enabled status
  • the name of the WMI filter (if one exists)

Adjust the script according to your needs. Have fun!