Find all OUs where a particular Policy is not linked

This topic contains 6 replies, has 3 voices, and was last updated by  Mark 1 year, 12 months ago.

  • Author
    Posts
  • #31151

    CEF Account
    Participant

    Hi, I am trying to find a way to create a list of all OUs where a particular policy is not linked. I can use

    Get-GPOReport -name "NAME OF POLICY" -Domain DOMAIN.NAME -Server SERVER NAME -reportType html -path c:\temp\GPOreportWSUS.html

    which gives me all OUs where the policy is linked. How do I get the output of only OUs where this is not linked to a given OU, called, say "Clients"

    Any help will be appreciated.

    thanks

  • #31153

    Cyril Muffat
    Participant

    first step recover the policy GUID descriptor

    with Get-GPO -name -domain and extract the GUID

    then you just have do a loop with a test like this

    
    [STRING]$id = (Get-GPO -Name "software" -Domain stanadm1.intra | select ID).id
    
    $stringtest =""
    
    Get-ADOrganizationalUnit -SearchBase "dc=stanadm1,dc=intra" -Filter * | % {
        [String]$stringtest = ($_.LinkedGroupPolicyObjects)
    
        
        if ($($stringtest) -notlike "*$id*") {
            Add-Content -Path $env:USERPROFILE\desktop\notlinked.txt -Value $_.distinguishedname
        }
    
    }
    
  • #31156

    Mark
    Participant

    Are you looking for OUs where the GPO is not directly linked or OUs where the GPO is not applied?

    Keep in mind that GPOs are be indirectly applied to OUs through inheritance from parent OUs.

    Such inheritance will NOT show up in the LnikedGroupPolicyUnits attribute of the OU.

  • #31161

    CEF Account
    Participant

    if we have the following hierarchy:
    DOMAIN
    REGION1
    COUNTRY1
    SERVERS
    CLIENTS
    REGION2
    COUNTRY2
    SERVERS
    CLIENTS
    COUNTRY3
    SERVERS
    CLIENTS

    I am trying to find a way to see if a particular policy is not linked to "CLIENTS" OU under each "COUNTRY"

    Get-GPOReport -name "NAME OF POLICY" -Domain DOMAIN.NAME -Server SERVER NAME -reportType html -path c:\temp\GPOreport.html

    gives me a list in the form:

    Location Enforced Link Status Path
    CLIENTS No Enabled DOMAIN/REGION1/COUNTRY1/CLIENTS
    CLIENTS No Enabled DOMAIN/REGION1/COUNTRY2/CLIENTS
    CLIENTS No Enabled DOMAIN/REGION1/COUNTRY3/CLIENTS
    .
    .

    I want to create a list of locations where it is not linked (or applied)

  • #31166

    CEF Account
    Participant

    OUs where GPO is not directly linked (or applied if that )

  • #31169

    CEF Account
    Participant

    Cyril, Thanks, it provides what is required, but it lists all OUs where it is not applied. Could this be modified somehow to include only a named OU, for example, for every OU called "Clients", list the ones where it is not applied

  • #31170

    Mark
    Participant

    Just change the Get-ADOrganizationalUnit command

    Get-ADOrganizationalUnit -SearchBase "dc=stanadm1,dc=intra" -Filter {name -eq "Clients"}

You must be logged in to reply to this topic.