Research Triangle Powershell User Group rtpsug@gmail.com Twitter GitHub YouTube LinkedIn

Guest Post - Evaluating GPO Links

Author:

Jeremy Brown

Intro

This past week I needed to find duplicate links across nested OUs within my org. The suspicion was there were a lot of GPOs linked repeatedly that could have been linked once at a higher level. I thought I might make a quick post to talk about how I got the information. Along the way, we can learn a little about Active Directory and GPOs.

What is a GPO

GPOs, otherwise known as Group Policy Objects, apply desired state to domain joined devices and users. Each Group policy consists of a Group Policy Object and Group Policy Template. Every Group Policy you make can apply to a user, computer, or both. When you make a GPO, the template contains a ‘.POL’ file that imposes the desired state. The .POL file is deployed from SYSVOL. To go along with the template, there is an object that exists within the Active Directory database. The object maintains consistency with everywhere an admin links a Group Policy. That means if I have one Group Policy linked to 3 different OUs in the domain, I have one template and three references to that Group Policy Object.

PowerShell and Group Policy

If you have the ActiveDirectory RSAT installed, you will have a few PowerShell modules installed on that device. Not only do you get the ActiveDirectory module, you also get a GroupPolicy module. We can look at what commands are available in the GroupPolicy module with:

Get-Command -Module GroupPolicy

Here we can see a lot of opportunity to interact with Group Policy; however, most of the options work on the template. What we’re interested in is the object. These cmdlets allow the ability to create a new GPLink, which would affect a Group Policy object in AD. But how can we count where a single GPO is linked everywhere in the domain?

The Script

Here is the script. In this script we’ll take in a DistinguishedName of an Organizational Unit and look for all GPOs linked from that location and further down the tree. We’ll start by getting a list of OUs to search across by issuing:

$OuTree = Get-ADOrganizationalUnit -Filter * -SearchBase $SearchBaseDn -SearchScope Subtree

Next, we need to evaluate the Group Policy GUID stored in AD against a friendly name. To do this, we need to get all the GPOs in the domain. We’ll grab those with this command.

$AllGPOs = Get-GPO -All

If we look at a single OU, we can see there is a LinkedGroupPolicyObjects attribute. This is what we’re after. This property will hold a list of all the GPO GUIDs linked at that OU. Once we have those GUIDs, we can do a lookup against our list of all the GPOs and return a friendly name. To accomplish this, I created a couple of private functions to help with the work. The first private function looks like this:

function GetGpoGuids {
    param (
        $LinkedGpos
    )

    $RegexPattern = '[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}'
    
    foreach ($ou in $LinkedGpos) {
        ($ou | Select-String $RegexPattern).Matches.Value
    }
}

In this function, we can take the list of Group Policy links and retrieve just the GUID for that GPO. Since the LinkedGroupPolicyObjects attribute is going to contain a list of items that look something like this:

cn={316E23FF-9546-46BB-AB06-729FF2058E36},cn=policies,cn=system,DC=your,DC=domain,DC=com

This code will use the regex to strip away everything but the GUID inside the curly braces and return only that as a value.

316E23FF-9546-46BB-AB06-729FF2058E36 

Furthermore, since an OU may have more than one Group Policy linked to it, the attribute may have more more than 1 Group Policy link referenced. We can just pass all the values in the list, whether that’s 0 or 100, through a foreach loop and output all the GUIDs.

The next private function looks like this:

function GetGpoFromGuid {
    param (
        $GpoGuid
        ,
        $GpoSearchBank
    )
    $GpoSearchBank.Where({$_.Id -eq $GpoGuid})
}

This function will take care of the lookup. Here we will take in two parameters. The first is the GUID of a single GPO link on an OU. The second is the list of Group Policy objects we retrieved earlier. From there, we can take the comprehensive list of all the GPOs and filter it down to a single GPO by looking for a matching GUID. We’ll use that output, the entire GPO, in the main script.

Now that we have looked at the private functions, let’s look at the main script.

foreach ($ou in $OuTree) {
    $LinkedGpos = $ou.LinkedGroupPolicyObjects
    $GpoGuids = GetGpoGuids -LinkedGpos $LinkedGpos
    $Gpos = $GpoGuids | ForEach-Object {GetGpoFromGuid -GpoGuid $_ -GpoSearchBank $AllGPOs}

    foreach ($gpo in $Gpos) {
        $Result = [PSCustomObject]@{
            OuName = $ou.Name
            OuDN = $ou.DistinguishedName
            GpoName = $gpo.DisplayName
        }
        $Result
    }
}

The working code is quite short. We’ll take each OU, evaluate it to retrieve the list of GUIDs for all linked GPOs, and return a custom object. The custom object will contain the DN of the OU, the friendly name of the OU, and the friendly name of the GPO. From here, we can store this in a variable and work on exploring afterward. Once I completed the script, I quickly executed the following code from my terminal:

$GpoInfo = .\Get-GpoByOu.ps1 -SearchBaseDn 'OU=foo,DC=domain,DC=com'
$GpoInfo | Export-CSV -Path 'GpoByOu.csv'

Following that, I could start counting duplication by using Group-Object

$GpoInfo | Group-Object GpoName | Sort-Object Count -Descending

This would give us a count of how many links each GPO has per the OUs in the tree.

Read More

December 2nd Meetup

Ansible is an amazingly flexible tool to manage your infrastructure. Jeremy Murrah @JeremyMurrah will be showing how you can get started using ansible to manage Windows Servers and treat your servers as “cattle” and not “pets”.

Read More
December 2nd Meetup image

November 18th Meetup

PowerShell has surpassed the administrative use that it was originally developed for and now additionally serves as a capability that enables threat hunters and incident responders to illuminate malicious activity and respond to such threats.

Read More
November 18th Meetup image

November 4th Meetup

You’ve might have heard the news about Azure Arc and how it enables multi-cloud management from Azure. However, there’s a secret that not many people know… you can manage your on-prem resources with Azure Arc.

Read More
November 4th Meetup image

September 16th Meetup

docs.microsoft.com is the home for Microsoft documentation. It is a valuable resource for IT pros to learn how various Microsoft services and products work. What may not be well-known is that the docs website is open source! Anyone can contribute, edit, change, add to the documentation available. The question is how to does someone make a change and what happens after they submit a change?

Read More
September 16th Meetup image

September 2nd Meetup

Working with code in Git repositories is a required skills now for most IT pros. But if all you do with Git is add, commit, push, and merge, then you’re missing out on a world of functionality. There are so many opportunities to customize Git to increase productivity and automate CI/CD related actions. It’s time to unlock the phenomenal power of Git hooks and put Git to work!

Read More
September 2nd Meetup image

May 20th Meeting

The Azure cloud is a nearly limitless place to store data, host applications and perform complex calculations on your data. The method for accessing Azure cloud resources programmatically is the Graph API. Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources.

Read More
May 20th Meeting image

May 6th Meetup

Sadly, PowerShell + DevOps Global Summit 2020 had to be cancelled, keynote presenter Don Jones spent all that time working on his speech that it seemed a shame to waste it! So join in for… “You’re More Than Just a Scripter!”

Read More
May 6th Meetup image

April 15th Meetup

In today’s world of connected computers, using PowerShell is not limited to managing only your computer or the others on your network. It is possible to manage computers across the globe and consume information from the internet all from your PowerShell cmd prompt.

Read More
April 15th Meetup image

April 1st Meetup

Join us as we lighten things up with April Fools Day fun and PowerShell tips and tricks!

Read More
April 1st Meetup image

March 18th Meetup

Looking to learn how to get started in Azure? Have you considered Serverless apps? Be not afraid. They’re easy to build and allow you get started without needing a degree in programming… .

Read More
March 18th Meetup image

March 4th Meetup

It’s an exciting time in the world of PowerShell. Microsoft is about to release the next release of PowerShell to the general public any day now. This new release, known as PowerShell 7, brings with it many new tools and capabilities to help sysadmins, software devs and other IT pros.

Read More
March 4th Meetup image

February 19th Meetup

We’re continuing our git education series with a follow up on last month’s git intro. Last month we focused on committing code to your own repo. This month we’re focusing on committing code to a shared repository.

Read More
February 19th Meetup image

February 5th Meetup

This month we’re discussing one of the most useful tools in the PowerShell toolset: Hashtables. Our speaker this month is Microsoft MVP and PowerShell community hero Kevin Marquette.

Read More
February 5th Meetup image

January 15th Meetup

If you have played with code at all you have probably heard about git. But what if you have no idea what git is or how to get started? This session is for you…

Join Phil Bossman and the rest of the RTPSUG leaders as we host the first of two hands-on, interactive git learning sessions. You will participate in follow-along demos to create and commit to your first repo. The RTPSUG leaders will help you master your first steps in git with one-on-one help.

Read More
January 15th Meetup image

January 1st Meetup

Command-line utilities are great. But they don’t follow PowerShell patterns. They don’t produce objects and they don’t support the pipeline. They output to the console and that’s the end of the line. Or is it? Learn how you can bring the benefits of PowerShell to your command-line utilities.

Read More
January 1st Meetup image

December 4th Meetup

REGEX!!! It’s often misunderstood and hated by many! But the truth is regex is super powerful and sometime it’s the best tool for the job!

Ever wish you could learn Regex in a simple, straightforward tutorial with one of the best speakers in the PowerShell community?

Read More
December 4th Meetup image

November 20th Meetup

What’s in your profile script? What do you find useful to have auto-loaded for you when you start a PowerShell session?

  • Pre-loading scripts?
  • Customizing the cmd prompt?
  • Connecting to a service on start?

Read More
November 20th Meetup image

November 6th Meetup

Mike Kanakos will walk us through the major pieces of PowerShell remoting. This talk will focus on security and logging along with a discussion about convincing your InfoSec team that remoting is safe to use.

Read More
November 6th Meetup image

October 16th Meetup

Jeremy Smith will present his talk he shared at PowerShell Saturday in Raleigh. He’ll be showing how custom formats can help make life easier for repetitive tasks.

Read More
October 16th Meetup image

October 2nd Meetup

Join us as we take a break from code and sit down with three industry veterans to discuss how PowerShell has played a role in their careers and where they see the industry headed - not just for PowerShell and automation - but for all of IT!

Read More
October 2nd Meetup image

September 09th Meetup

Please join us for a very special event!!!! Please be aware that this event will be held on a MONDAY NIGHT!!!

This month we are proud to be hosting Matthais Jessen in person to do a deep dive exploration of the corners of Active Directory Domain Services most admins probably don’t think about that often.

Read More
September 09th Meetup image

August 21st Meetup

You’ve seen those eye-catching dashboards all over the web. They look super slick and really useful. How do they create them?

In this session, we’re going to introduce you to one of the slickest tools available for PowerShell: the Universal Dashboard module!! Our guest for the evening is Adam Driscoll, a software architect, business owner, and Cloud/Datacenter MVP. He is also a published author, open-source contributor, and speaker!

Read More
August 21st Meetup image

August 7th Meetup

Are you confused about the differences between PowerShell and PowerShell core? Have you heard that PowerShell 7 is coming soon? Are you curious about how to run the different flavors of PowerShell side by side? What about remotely managing Linux/Windows hosts?

Read More
August 7th Meetup image

July 17th Meetup

One of the great things about PowerShell is the barrier to entry is low. Writing simple scripts is a task that anyone can do with just a little bit of practice. The downside is that over time, many admins end up with a pile of half-baked scripts that don’t age well.

Read More
July 17th Meetup image

July 3rd Meetup

David Stein will be joining us this month to discuss how code and more specifically, PowerShell has become a tool he uses to to help meet customers demands and solve problems. He will be sharing with us specific examples of how PowerShell was able to find very specific data that customers wanted to find but did not have the tools or knowledge on how to get answers they need.

Read More
July 3rd Meetup image

June 19th Meetup

This meeting is about community and our awesome members! We’re opening the floor to our membership to share knowledge first-hand with one another.

Read More
June 19th Meetup image

June 5th Meetup

One of the greatest strengths of the PowerShell language is its flexibility. However, even though PowerShell is super adaptable, some tasks are still a challenge. Tasks such as creating a GUI front-end for your PowerShell function or packaging your PowerShell module as an EXE or DLL are not trivial tasks. That’s where 3rd party tools and add-ons can bridge the gap!

Read More
June 5th Meetup image

Monthly Roundup May

Welcome to our first official newsletter.

This is a new idea we’re looking to develop further and welcome your feedback on what you think of the newsletter concept for our user group. We are planning to send out a monthly newsletter that talks about all things PowerShell in the community and the things we have planned for the near future as well as a discussion of the topics recently discussed at groups meetings. We hope you find the information in our newsletter helpful and insightful. We’re still figuring out the right length, so please let us know what you think!

Read More
Monthly Roundup May image

May 15th Meetup

PowerShell has been responsible for introducing countless numbers of engineers to automation. Now come see how Chocolatey does the same for software distribution. The days of building complex multi-step MSI’s and zip installs are gone and in its place is simple to build and simple to install packages that can be run from a PowerShell command prompt with ease.

Read More
May 15th Meetup image

May 1st Meetup

What’s the #1 request that we get at our user group meetings?

“What do you recommend for learning PowerShell?”

Of course, there is no right answer for everyone but this month we’ll be sharing with you an absolutely awesome way to learn PowerShell through an interactive PowerShell session!

Read More
May 1st Meetup image

PowerShell Saturday available now!

We now have the PowerShell Saturday section of our website set up. Go to the site to see information about time, date and location or sign up to become a speaker!

Read More

April 17th Meetup

Pester is a test framework for PowerShell. It allows you to define all kinds of test cases and report the results. Using this framework, you can build tests to automatically test every piece of code before it is released to production environments. The tests are limited mostly by your imagination!

Read More
April 17th Meetup image

April 3rd Meetup

Learn how to use PowerShell for Enterprise Reporting

Read More
April 3rd Meetup image

Title - RTPSUG getting it done

The Research Triangle PowerShell users group has got a lot of great things planned for the coming months. See you Soon!

Read More

March 20th Meetup

Automating AD Health Checks

Most admins don’t have the time to keep an eye on every part of their IT infrastructure, let alone every nook and cranny of Active Directory.

Read More
March 20th Meetup image

March 6th Meetup

Git 101: “Git” up to speed on Git and source control

GitHub, GitLab, Bitbucket, Visual Studio Team Svcs, Azure Devops… all these tools for saving code work via the same basic backend language: git!

Read More
March 6th Meetup image

February 20th Meetup

An Introduction to Just Enough Administration

Giving everyone local administrator or domain administrator privileges is a really bad idea. Even the best of admins can make mistakes which can have unexpected consequences.

Read More
February 20th Meetup image

January 16th Meetup

Windows Eventlogs are a pain! Become the Boss of your EventLogs

Read More
January 16th Meetup image