Get-GpLink function and GpLink backup
Hi all,
Who hasn't been dreaming of a get-gplink cmdlet? How would it be so simple to run a command and get the list of GPOs links to a site, OU or domain DN?
We could be doing so much with a simple "get-gplink".
I recently was at a client where I was performing remediation following a Group Policy Health I did a year ago and where the client had not time to do it himself.
When I left, 12 month ago, I gave him a list of the GPOs that were linked to its domain and the state of the links. But I wasn't able to do it now, as it was done using the Group Policy Health Check tool.
So I took upon myself to create the missing "get-glink" and I am now happy to share it with you.
I have built it so that it produces objects that can be used by the existing cmdlets related to gplink:
- new-gplink
- set-gplink
- remove-gplink
In order to use it, you first have to register it to your environment. You can do this by simply executing the script with no parameter .\get-gplink.ps1
Run the command dir function:\ and verify that get-gplink is registed
Listing link GPO on an object:
Running the command get-help get-gplink –detailed will give you details on how to use the command.
Here is what an output looks like:
The same one returned in a table format:
Path: returns the DN of the object you run the command against
GPOGUID: returns the GUID of the GPO linked
GPOName: returns the friendly name of the GPO
Enforced: Returns whether the GPO link is enforce or not
Enabled: returns whether the GPO link is enabled or not
Order: return the link order
If the GPOGUID cannot be found in the domain, the GPO name is replaced by "Orphaned GPLink or External GPO". This version of get-gplink does not verify the GUID in other domains of the forest. This will be for a future version. So a unknow GUID can be either an "External GPO" or an "Orphaned GPLINK"
An Orphaned GPLINK is a gplink that is pointing to a missing GPC (group policy container).
This is how it looks like in GPMC:
Exporting to CSV:
Now the nice part about it is that you can simply export the results to a CSV file:
What could you then do with that CSV file…
How about restoring deleted gplinks?
Restoring deleted links and link order:
This is what I have exported in my csv:
I now delete my links:
Since I exported the links in the csv file, I can simply run the following command to restore them:
My links have been restored in the proper order and with the proper options:
And now the "plat de résistance"…
Group Policy Disaster Recovery:
You got it, this export is actually also a backup of sort.
So with some little PS scripting here is how on top of doing a backup of all you domain gpo, you can do the same with your GPO links.
I won't explain how to use backup-gpo and restore-gpo to backup and restored GPOs in your domain. But simply give you the command that you can add now to be able to simply restore those links:
Get-adobject –filter {(objectclass –eq "domaindns") –or (objectclass –eq "organizationalunit")} | foreach {get-gplink –path $_} | export-csv "gplink.all"
You now have a "backup" of all your domain gplinks.
Limitations:
This is just the first version of get-gplink. I plan you adding other functions such as reporting external linked GPOs and running the command against Sites as well. Stay tune for the updates.
You can find the script here