Locating All of the Unlinked GPOs in Your Domain

Have you ever wanted to identify all of the Group Policy Objects (GPOs) in your domain that are not currently linked to any Organizational Units (OU)? This was the task I was given today by my project manager. He wanted me to identify any of our GPOs that were unlinked. We follow a certain naming scheme so that is how we identify ours. Well PowerShell made it so easy that I obtained ALL of the GPOs in the domain that were unlinked so I sent the list to our Active Directory (AD) team lead. PowerShell rocks!

I knew there was a GPO module in Windows so I started my search there. After looking at the module I focused on the Get-GPO cmdlet for my start. Using Get-Help I was able to obtain all of the GPOs. Unfortunately, the cmdlet didn’t help me find out whether it was linked . So, I focused on Get-GPOReport which did actually report on the details of the GPO. I ran it on a couple of GPOs, one linked and one unlinked, to get a better idea of what I was looking for in the report. What I noticed was that there was a ‘LinksTo’ node in the XML that indicates where the GPO is linked. For the one where it wasn’t linked that node was not present. Sure, I could have done XML ┬ámojo but sometimes the simplest way is the best way. In my case I just decided to test ┬áto determine where that string was not present in the report.

[codesyntax lang=”powershell” lines=”normal”]

Import-Module GroupPolicy
Get-GPO -All | 
    %{ 
       If ( $_ | Get-GPOReport -ReportType XML | Select-String -NotMatch "<LinksTo>" )
        {
        Write-Host $_.DisplayName
        }
    }

[/codesyntax]