Get GPO Links With PowerShell

GPO links powershell

Do you need to get an overview of the GPO’s and the GPO links in Active Directory?

Don’t worry! You’re only a few lines of PowerShell away from reaching your goal.

To retrieve all GPO’s you can use the following line:

  1. Get-GPO -All

However, the resulting list of objects does not give away detailed information like GPO links, the enabled state of user/computer settings, etc.

To get the full information you need to generate a GPO report. The report type should be XML to allow you direct access to the GPO properties.

The following code gets an XML report of the first GPO:

  1. [xml]$Report = (Get-GPO -All)[0] | Get-GPOReport -ReportType XML

As you can see in the below output you can drill down in the properties of the $Report object to retrieve various information:

PS C:\> $Report xml GPO --- --- version="1.0" encoding="utf-16" GPO PS C:\> $Report.GPo xsd : http://www.w3.org/2001/XMLSchema xsi : http://www.w3.org/2001/XMLSchema-instance xmlns : http://www.microsoft.com/GroupPolicy/Settings Identifier : Identifier Name : Desktop Configuration IncludeComments : true CreatedTime : 2020-08-10T15:29:52 ModifiedTime : 2020-08-10T15:29:52 ReadTime : 2020-11-17T10:42:00.3701415Z SecurityDescriptor : SecurityDescriptor FilterDataAvailable : true Computer : Computer User : User LinksTo : LinksTo PS C:\> $Report.GPo.LinksTo SOMName SOMPath Enabled NoOverride ------- ------- ------- ---------- Denmark gigacorp.local/GigaCorp_Users/Denmark true false

Obviously, now we have all the information needed to produce a script that lists all links for all GPO’s in your domain.

It could look like this:

  1. $GPOs = Get-GPO -All
  2. $OutputFile = ".\GPOList.txt"
  3. "Name;LinkPath;ComputerEnabled;UserEnabled;WmiFilter" | Out-File $OutputFile
  4. $GPOs | % {
  5. [xml]$Report = $_ | Get-GPOReport -ReportType XML
  6. $Links = $Report.GPO.LinksTo
  7. ForEach($Link In $Links){
  8. $Output = $Report.GPO.Name + ";" + $Link.SOMPath + ";" + $Report.GPO.Computer.Enabled + ";" + $Report.GPO.User.Enabled + ";" + $_.WmiFilter.Name
  9. $Output | Out-File $OutputFile -Append
  10. }
  11. }

The output file will list one line for each GPO link, stating the following information:

  • the GPO name
  • the GPO link
  • the computer settings enabled status
  • the user settings enabled status
  • the name of the WMI filter (if one exists)

Adjust the script according to your needs. Have fun!

Did you like this post? Maybe your friends will too!