Get GPO Links With PowerShell

Do you need to get an overview of the GPO’s and the GPO links in Active Directory?

Don’t worry! You’re only a few lines of PowerShell away from reaching your goal.

To retrieve all GPO’s you can use the following line:

Get-GPO -All

However, the resulting list of objects does not give away detailed information like GPO links, the enabled state of user/computer settings, etc.

To get the full information you need to generate a GPO report. The report type should be XML to allow you direct access to the GPO properties.

The following code gets an XML report of the first GPO:

[xml]$Report = (Get-GPO -All)[0] | Get-GPOReport -ReportType XM

[xml]$Report = (Get-GPO -All)[0] | Get-GPOReport -ReportType XML

As you can see in the below output you can drill down in the properties of the $Report object to retrieve various information:

PS C:\> $Report
xml                             GPO
---                             ---
version="1.0" encoding="utf-16" GPO

PS C:\> $Report.GPo

xsd                 : http://www.w3.org/2001/XMLSchema
xsi                 : http://www.w3.org/2001/XMLSchema-instance
xmlns               : http://www.microsoft.com/GroupPolicy/Settings
Identifier          : Identifier
Name                : Desktop Configuration
IncludeComments     : true
CreatedTime         : 2020-08-10T15:29:52
ModifiedTime        : 2020-08-10T15:29:52
ReadTime            : 2020-11-17T10:42:00.3701415Z
SecurityDescriptor  : SecurityDescriptor
FilterDataAvailable : true
Computer            : Computer
User                : User
LinksTo             : LinksTo

PS C:\> $Report.GPo.LinksTo
SOMName SOMPath                               Enabled NoOverride
------- -------                               ------- ----------
Denmark gigacorp.local/GigaCorp_Users/Denmark true    false

Obviously, now we have all the information needed to produce a script that lists all links for all GPO’s in your domain.

It could look like this:

    $GPOs = Get-GPO -All
    $OutputFile = ".\GPOList.txt"
    "Name;LinkPath;ComputerEnabled;UserEnabled;WmiFilter" | Out-File $OutputFile
    $GPOs | % {
     [xml]$Report = $_ | Get-GPOReport -ReportType XML
     $Links = $Report.GPO.LinksTo
     ForEach($Link In $Links){
     $Output = $Report.GPO.Name + ";" + $Link.SOMPath + ";" + $Report.GPO.Computer.Enabled + ";" + $Report.GPO.User.Enabled + ";" + $_.WmiFilter.Name
     $Output | Out-File $OutputFile -Append
     }
    }

The output file will list one line for each GPO link, stating the following information:

the GPO name
the GPO link
the computer settings enabled status
the user settings enabled status
the name of the WMI filter (if one exists)

Adjust the script according to your needs. Have fun!

Did you like this post? Maybe your friends will too!