Question : How do I enumerate GPOs linked to an OU in Active Directory?

How would I find a computer object in AD, determine the computer object's OU, and enumerate the GPOs that are specifically linked to that OU?

I received an audit script request from Management that I've been able to translate into the following request.
"Write a script that can do the following:
1. Search AD for a computer object
2. Identify the OU of the computer object
3. Enumerate the GPOs linked to the identified OU
4. Determine the Global Group(s) designated in the security filter of the GPO
5. Verify that the members of the Administrator group belong to one of the identified Global Groups"

This was a fairly liberal translation and is significantly less ambiguous than the original request. Steps 1 and 2 are fairly simplistic by my standards, as well as step 5. It is those pesky steps 3 and 4 that have me browsing the web, watching webcasts, and finally pandering to those who have more scripting mojo than myself.

Simply put, how do I use a computer object's ADsPath to query AD to find GPOs linked to the computer object's OU? I'm only interested in the GPOs linked directly to the OU and none of the GPOs linked higher up in AD. Thanks!

Answer : How do I enumerate GPOs linked to an OU in Active Directory?

Not pretty or robust but gets the job done. Give the vbScript the DN of the OU you need to check. Enclose it in quotes if it has spaces. Outputs a comma delimited list of the GPO name, the GUID, and shows whether the link is active.

                       
         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:

           
           
             strOU = WSCript.Arguments(0)	' DN of the OU enclosed in quotes
 
' Configure ADODB ADsDSO connection
'
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 3000
 
' Find the OU
'
objCommand.CommandText = _
    ";(objectClass=organizationalUnit)" & _
        ";gpLink,distinguishedName;base"  
Set objRecordSet = objCommand.Execute
 
strGpLinks = objRecordSet.Fields("gpLink").Value
intCnt = 0
 
' Parse the gpLink
'
Do until strGpLinks = ""
	i = instr(strGpLinks,"]")
	strGpoDn = mid(strGPlinks,2,i-2) 'DN for LDAP query
	strGpLinks = mid(strGPLinks,i+1) 'strip it off the gpLink string
 
	' Use the DN to find the GPO object
	'
	objCommand.CommandText = "<" & mid(strGpoDn,1,len(strGpoDn)-2) & ">;" & _
		"(objectClass=groupPolicyContainer);displayName;base"
	set objRecordSet = objCommand.Execute
	strGPOName = objRecordSet.Fields("displayName").Value
	strGPOGuid = mid(strGpoDn,11,38)
	if mid(strGpoDN,len(strGpoDn),1)="0" then
		strGpoLinked = "*Linked*"
	else
		strGpoLinked = "unlinked"
	end if
 
	wscript.echo chr(34) & strGPOName & chr(34) & "," & strGpoLinked & "," & strGpoGuid
	intCnt = intCnt + 1
Loop
wscript.echo intCnt

           
         

Open in New Window

Select All