Have you ever wanted to identify all of the Group Policy Objects (GPOs) in your domain that are not currently linked to any Organizational Units (OU)? This was the task I was given today by my project manager. He wanted me to identify any of our GPOs that were unlinked. We follow a certain naming scheme so that is how we identify ours. Well PowerShell made it so easy that I obtained ALL of the GPOs in the domain that were unlinked so I sent the list to our Active Directory (AD) team lead. PowerShell rocks!
I knew there was a GPO module in Windows so I started my search there. After looking at the module I focused on the Get-GPO cmdlet for my start. Using Get-Help I was able to obtain all of the GPOs. Unfortunately, the cmdlet didn’t help me find out whether it was linked . So, I focused on Get-GPOReport which did actually report on the details of the GPO. I ran it on a couple of GPOs, one linked and one unlinked, to get a better idea of what I was looking for in the report. What I noticed was that there was a ‘LinksTo’ node in the XML that indicates where the GPO is linked. For the one where it wasn’t linked that node was not present. Sure, I could have done XML mojo but sometimes the simplest way is the best way. In my case I just decided to test to determine where that string was not present in the report.
[codesyntax lang=”powershell” lines=”normal”]
Import-Module GroupPolicy Get-GPO -All | %{ If ( $_ | Get-GPOReport -ReportType XML | Select-String -NotMatch "<LinksTo>" ) { Write-Host $_.DisplayName } }
[/codesyntax]