Author Posts

October 22, 2015 at 5:35 am

Hi, I am trying to find a way to create a list of all OUs where a particular policy is not linked. I can use

Get-GPOReport -name "NAME OF POLICY" -Domain DOMAIN.NAME -Server SERVER NAME -reportType html -path c:\temp\GPOreportWSUS.html

which gives me all OUs where the policy is linked. How do I get the output of only OUs where this is not linked to a given OU, called, say "Clients"

Any help will be appreciated.

thanks

October 22, 2015 at 6:02 am

first step recover the policy GUID descriptor

with Get-GPO -name -domain and extract the GUID

then you just have do a loop with a test like this


[STRING]$id = (Get-GPO -Name "software" -Domain stanadm1.intra | select ID).id

$stringtest =""

Get-ADOrganizationalUnit -SearchBase "dc=stanadm1,dc=intra" -Filter * | % {
    [String]$stringtest = ($_.LinkedGroupPolicyObjects)

    
    if ($($stringtest) -notlike "*$id*") {
        Add-Content -Path $env:USERPROFILE\desktop\notlinked.txt -Value $_.distinguishedname
    }

}

October 22, 2015 at 6:38 am

Are you looking for OUs where the GPO is not directly linked or OUs where the GPO is not applied?

Keep in mind that GPOs are be indirectly applied to OUs through inheritance from parent OUs.

Such inheritance will NOT show up in the LnikedGroupPolicyUnits attribute of the OU.

October 22, 2015 at 6:58 am

if we have the following hierarchy:
DOMAIN
REGION1
COUNTRY1
SERVERS
CLIENTS
REGION2
COUNTRY2
SERVERS
CLIENTS
COUNTRY3
SERVERS
CLIENTS

I am trying to find a way to see if a particular policy is not linked to "CLIENTS" OU under each "COUNTRY"

Get-GPOReport -name "NAME OF POLICY" -Domain DOMAIN.NAME -Server SERVER NAME -reportType html -path c:\temp\GPOreport.html

gives me a list in the form:

Location Enforced Link Status Path
CLIENTS No Enabled DOMAIN/REGION1/COUNTRY1/CLIENTS
CLIENTS No Enabled DOMAIN/REGION1/COUNTRY2/CLIENTS
CLIENTS No Enabled DOMAIN/REGION1/COUNTRY3/CLIENTS
.
.

I want to create a list of locations where it is not linked (or applied)

October 22, 2015 at 7:10 am

OUs where GPO is not directly linked (or applied if that )

October 22, 2015 at 7:23 am

Cyril, Thanks, it provides what is required, but it lists all OUs where it is not applied. Could this be modified somehow to include only a named OU, for example, for every OU called "Clients", list the ones where it is not applied

October 22, 2015 at 7:38 am

Just change the Get-ADOrganizationalUnit command

Get-ADOrganizationalUnit -SearchBase "dc=stanadm1,dc=intra" -Filter {name -eq "Clients"}