Get-GpLink function and GpLink backup

  • Article

Hi all,

Who hasn't been dreaming of a get-gplink cmdlet? How would it be so simple to run a command and get the list of GPOs links to a site, OU or domain DN?

We could be doing so much with a simple "get-gplink".

I recently was at a client where I was performing remediation following a Group Policy Health I did a year ago and where the client had not time to do it himself.
When I left, 12 month ago, I gave him a list of the GPOs that were linked to its domain and the state of the links. But I wasn't able to do it now, as it was done using the Group Policy Health Check tool.

So I took upon myself to create the missing "get-glink" and I am now happy to share it with you.

I have built it so that it produces objects that can be used by the existing cmdlets related to gplink:

  • new-gplink
  • set-gplink
  • remove-gplink

In order to use it, you first have to register it to your environment. You can do this by simply executing the script with no parameter .\get-gplink.ps1

Run the command dir function:\ and verify that get-gplink is registed

 

Listing link GPO on an object:

Running the command get-help get-gplink –detailed will give you details on how to use the command.

Here is what an output looks like:

The same one returned in a table format:

 

Path: returns the DN of the object you run the command against
GPOGUID: returns the GUID of the GPO linked
GPOName: returns the friendly name of the GPO
Enforced: Returns whether the GPO link is enforce or not
Enabled: returns whether the GPO link is enabled or not
Order: return the link order

If the GPOGUID cannot be found in the domain, the GPO name is replaced by "Orphaned GPLink or External GPO". This version of get-gplink does not verify the GUID in other domains of the forest. This will be for a future version. So a unknow GUID can be either an "External GPO" or an "Orphaned GPLINK"

An Orphaned GPLINK is a gplink that is pointing to a missing GPC (group policy container).

This is how it looks like in GPMC:

Exporting to CSV:

Now the nice part about it is that you can simply export the results to a CSV file:

What could you then do with that CSV file…

How about restoring deleted gplinks?

 

Restoring deleted links and link order:

This is what I have exported in my csv:

I now delete my links:

Since I exported the links in the csv file, I can simply run the following command to restore them:

My links have been restored in the proper order and with the proper options:

 

And now the "plat de résistance"…

Group Policy Disaster Recovery:

You got it, this export is actually also a backup of sort.

So with some little PS scripting here is how on top of doing a backup of all you domain gpo, you can do the same with your GPO links.

I won't explain how to use backup-gpo and restore-gpo to backup and restored GPOs in your domain. But simply give you the command that you can add now to be able to simply restore those links:

Get-adobject –filter {(objectclass –eq "domaindns") –or (objectclass –eq "organizationalunit")} | foreach {get-gplink –path $_} | export-csv "gplink.all"

You now have a "backup" of all your domain gplinks.

Limitations:

This is just the first version of get-gplink. I plan you adding other functions such as reporting external linked GPOs and running the command against Sites as well. Stay tune for the updates.

You can find the script here