Skip to main content

Enumerate the GPOs scoped to an Organization Unit with PowerShell

This one popped up last week in my PowerShell class at Naval Station Norfolk.  The goal was to provide an OU and have a list of GPOs that are applied to that specific OU.  The help file has the details on how to use it.  I did a little extra work on creating an advanced object for the pipeline.  I’ll be teaching the logic behind it when I return to Norfolk for part II of this 10 day class.  The BEGIN block is where the magic is at.  It is a bit overkill for such a simple task.  For those of you who have taken my classes, you know that I like to keep things simple when I introduce new concepts.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

 

Function Get-ScopedGPO

{

<#

.SYNOPSIS

Returns the GPOs scoped to an Organizational Unit

 

.DESCRIPTION

Returns the GPOs scoped to an Organizational Unit.  This list does not include

GPOs from parent containers.

 

.PARAMETER OU

The OU or OUs that you want to get the currently scoped GPOs for.

.EXAMPLE

Get-ScopedGPO -OU Clients

 

OU                                                           GPOs                                                      

--                                                           ----                                                      

OU=Clients,DC=TechTour,DC=com                                {@{GPO=GPO2}, @{GPO=GPO3}}

 

Returns the GPOs that are scoped to the Clients OU.

 

.EXAMPLE

"Clients", "Domain Controllers" | Get-ScopedGPO

 

OU                                        GPOs                                                      

--                                        ----                                                      

OU=Clients,DC=TechTour,DC=com             {@{GPO=GPO2}, @{GPO=GPO3}}                                

OU=Domain Controllers,DC=TechTour,DC=com  {@{GPO=Default Domain Controllers Policy}}

 

Returns the GPOs that are scoped to both the Clients and the

Domain Controllers OUs.

 

.EXAMPLE

Get-ScopedGPO -OU Clients | Select-Object -ExpandProperty GPOs

 

GPO                                                                                                                    

---                                                                                                                    

GPO2                                                                                                                   

GPO3  

 

Shows the GPOs scoped to the Clients OU.  This is useful when more than one

GPO is scoped to an OU.

 

.NOTES

===============================================================================

== Cmdlet: Get-ScopedGPO                                                     ==

== Author: Jason A. Yoder                                                    ==

== Company: MCTExpert of Arizona                                             ==

== Copyright: All rights reserved.                                           ==

== Version: 1.0.0.0                                                          ==

== Legal: The user assumes all responsibility and liability for the usage of ==

== this PowerShell code.  MCTExpert of Arizona, Its officers, shareholders,  ==

== owners, and their relatives are not liable for any damages.  As with all  ==

== code, review it and understand it prior to usage.  It is recommended that ==

== this code be fully tested and validated in a test environment prior to    ==

== usage in a production environment.                                        ==

==                                                                           ==

== Does this code make changes: NO                                           ==

===============================================================================

#>

[CmdletBinding()]

Param (

    [parameter(Mandatory=$true,

    ValueFromPipeline=$true)]

    [String[]]$OU

)

 

    BEGIN

    {

        Function New-GPO-Item

        {

            # An instance of this object is created for GPO

            # scoped for an object

            $Obj = New-Object -TypeName PSObject -Property @{

                "GPO" = $null

            }

            Write-Output $Obj

        } # END: Function New-GPO-Item

      

        Function New-GPO-Object

        {

            # This is the final object sent to the pipeline. it contains

            # a property to hold the OU.  The second property, GPOs,

            # contains one object from New-GPO-Item for each individual

            # GPO scoped to the OU.

            $Obj = New-Object -TypeName PSObject -Property @{

                "OU" = $null

                "GPOs" = $null

            }

            $Obj.psobject.typenames.insert(0, 'GPOScope');

            Write-Output $obj

        } # END: Function New-GPO-Object

   

    } # END : BEGIN BLOCK

    PROCESS

    {

        ForEach ($Item in $OU)

        {

       

        # Create a new GPO object for each OU that is being examined.

        $Obj = New-GPO-Object

       

        # Assign the FQDN of the OU to the objects OU property.

        $Obj.OU = Get-ADOrganizationalUnit -Filter 'name -eq $Item'|

        Select-Object -ExpandProperty DistinguishedName

        Write-Verbose "Gathering information for OU $($Obj.OU)"

 

            # Dynamic array to hold all GPOs scoped for this OU.

            $GPOTemp = @()

            ForEach ($GPO in (Get-GPInheritance -Target $Obj.OU |

                Select-Object -ExpandProperty GPoLinks |

                Select-Object -ExpandProperty DisplayName))

            {

                $GPOItem = New-GPO-Item

                $GPOItem.GPO = $GPO

                $GPOTemp += $GPOItem

            }

            $Obj.GPOs = $GpoTemp

            Write-Output $Obj

        } # End:ForEach ($Item in $OU)

    } # END: PROCESS BLOCK

    END {}

}

 

#"Clients", "Domain Controllers" | Get-ScopedGPO

#Get-ScopedGPO -OU Clients | Select-Object -ExpandProperty GPOs

 Get-help Get-ScopedGPO  -Full

 

Comments

Popular posts from this blog

Adding a Comment to a GPO with PowerShell

As I'm writing this article, I'm also writing a customization for a PowerShell course I'm teaching next week in Phoenix.  This customization deals with Group Policy and PowerShell.  For those of you who attend my classes may already know this, but I sit their and try to ask the questions to myself that others may ask as I present the material.  I finished up my customization a few hours ago and then I realized that I did not add in how to put a comment on a GPO.  This is a feature that many Group Policy Administrators may not be aware of. This past summer I attended a presentation at TechEd on Group Policy.  One organization in the crowd had over 5,000 Group Policies.  In an environment like that, the comment section can be priceless.  I always like to write in the comment section why I created the policy so I know its purpose next week after I've completed 50 other tasks and can't remember what I did 5 minutes ago. In the Group Policy module for PowerShell V3, th

Return duplicate values from a collection with PowerShell

If you have a collection of objects and you want to remove any duplicate items, it is fairly simple. # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   # Remove the duplicate values. $Set1 | Select-Object -Unique 1 2 3 4 5 6 7 What if you want only the duplicate values and nothing else? # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   #Create a second collection with duplicate values removed. $Set2 = $Set1 | Select-Object -Unique   # Return only the duplicate values. ( Compare-Object -ReferenceObject $Set2 -DifferenceObject $Set1 ) . InputObject | Select-Object – Unique 1 2 This works with objects as well as numbers.  The first command creates a collection with 2 duplicates of both 1 and 2.   The second command creates another collection with the duplicates filtered out.  The Compare-Object cmdlet will first find items that are diffe

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.