Share via

List all GPO's attached to parent OU and sub OU's

  • Article

Question

Friday, February 14, 2014 8:56 PM

I am trying to find a way to use powershell to output a listing of all the GPO's attached to a specific OU and it's child OU's.

I am able to find the parent OU and child OU's using the following code (from this forum):

$searcher = [adsisearcher]"(&(objectClass=organizationalunit))"
# uncomment if you want to start the search from another root, the default search starts on the root domain
$searcher.SearchRoot = [adsi]"LDAP://ou=parent1, dc=test,dc=domain,dc=com"

$searcher.findall()

The output of the above code is:

Path                                                               Properties                                                 
                                                                                                   
LDAP://OU=parent1,DC=test,DC=domain,DC=com        {usnchanged, objectclass, instancetype, objectcategory...} 
LDAP://OU=child1,OU=parent1,DC=test,DC=domain,DC=com  {usnchanged, usncreated, instancetype, objectcategory...}

My thought process is to feed this information into a command that will list all GPO's for each OU. I've looked through the Get-GPO command and do not see where I can enter an OU.  I used to use WinBatch to do everything so coding is not foreign to me, just the commands that I can use with powershell. Any help is greatly appreciated. 

All replies (3)

Friday, February 14, 2014 9:01 PM ✅Answered

Hi,

There isn't a parameter on Get-GPO to specify OUs, but this script in the repository looks promising:

http://gallery.technet.microsoft.com/scriptcenter/Determine-What-Active-3a37b0c5

Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

Monday, February 17, 2014 9:45 AM ✅Answered

Hi gjulian12,

The script below may be also helpful to get gpo from ou, which filter the ou named test and get the linked gpo:

Get-ADOrganizationalUnit -filter {name -like "*test*"} -Properties name,distinguishedName,gpLink,gPOptions |Select-Object -Property *,@{
label = 'FriendlyGPODisplayName'
expression = {$_.LinkedGroupPolicyObjects | ForEach-Object {([adsi]"LDAP://$_").displayName -join ''}
}
}

I hope this helps.

Friday, January 11, 2019 2:22 PM

You can't specify an OU on a Get-GPO because GPO's are not stored that way.  

A GPO is stored as an object within the domain, and then is linked to one (or more) specific OUs where it is applied (and/or inherited).  As a result, what you need to be doing is look at the OU in question, and read the links.  Then, follow the links back to the policy store to see what the actual policies in each case really are.

That said, I would post an example of how, but the search for that is what brought me to this page today.