Auditing GPO Link Enabled and Enforced with PowerShell

In my last post, I discussed auditing for Group Policy inheritance blocking. Today, we will take a look at auditing to see which GPO links have the link disabled and which are enforced. As with the previous post, this script requires Windows 7 or Server 2008 R2 for the Group Policy cmdlets. I will also once again be using the Quest AD cmdlets, making them a requirement as well. They are available as part of the Quest ActiveRoles Management Shell for Active Directory at

Before beginning, make sure the Quest tools are loaded and that you’ve imported the Group Policy cmdlets.

Add-PSSnapin Quest.ActiveRoles.ADManagement
Import-Module Grouppolicy

GPOs are linked to OUs. Each GPO link can be disabled. In the Group Policy Management Console, you can do this by right clicking the linked GPO and un-checking Link Enabled. Similarly, you can enforce a GPO link by right clicking and checking enforced. Any given OU can have multiple GPOs linked to it and any given GPO can be linked to multiple OUs. I decided to approach this starting with looking at all the OUs. So, first let’s get every OU in the domain.

Get-QADObject type organizationalunit sizelimit 0DontUseDefaultIncludedProperties

Get-QADObject, as the name implies, returns Active Directory objects. by specifying a type, we limit the returned objects to just OUs. Setting a size limit of 0 will cause all matching objects to be returned, not just the first 1000. The –Don’tUseDefaultIncludedProperties speeds the search up since we are not interested in most of the default properties of the OU.

We then want to pipe the OUs to Get-GPInheritance. Why? Because Get-GPInheritance returns an object with a property listing all GPOs linked to that OU. A look at Get-Help Get-GPInheritance shows us this:

Detailed Description

The Get-GPInheritance cmdlet returns information about Group Policy inheritance for a specified domain or OU.

This information includes the following:
— A list of GPOs that are linked directly to the location (the GpoLinks property).

So, essentially, we find every OU in the domain and for each OU find all the linked GPOs:

%{ (Get-GPInheritance Target $_).GPOLinks }

If you are unfamiliar with %{} and $_, this is a simplified way of constructing a foreach loop in the pipeline. Technically, % is an alias for ForEach-Object. So,  %{} means take each object passed on the pipeline and execute the code between the {}’s. The $_ represents the item inside the foreach loop. In this example, $_ will be each OU passed through the pipeline as it is run through the loop. The .GPOLinks returns just the GPOLinks property.

Next, we need to determine what information we want from each GPO contained in the various GPOLinks properties. Personally, I found DisplayName, Enabled, Enforced and Target to be the most useful.

select DisplayName,Enabled,Enforced,Target

Finally, let’s take all of this information and put it in a CSV file.

 Export-csv “GPOLinkInfo.csv” NoTypeInformation

And, to put it all together on one line:

Get-QADObject type organizationalunit sizelimit 0 DontUseDefaultIncludedProperties | %{ (Get-GPInheritance Target $_).GPOLinks } | select DisplayName,Enabled,Enforced,Target | Export-csv “GPOLinkInfo".csv” NoTypeInformation

Note that this line does not check GPOs linked to the root of the domain. To audit the root of the domain, try this:

(get-gpinheritance Target "dc=contoso,dc=com").GPOLinks | select DisplayName,Enabled,Enforced,Target

As always, questions, suggestions and feedback is welcome.




One thought on “Auditing GPO Link Enabled and Enforced with PowerShell

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s