{"id":54423,"date":"2009-02-10T21:08:00","date_gmt":"2009-02-10T21:08:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/02\/10\/hey-scripting-guy-how-can-get-a-list-of-all-my-orphaned-group-policy-objects\/"},"modified":"2009-02-10T21:08:00","modified_gmt":"2009-02-10T21:08:00","slug":"hey-scripting-guy-how-can-get-a-list-of-all-my-orphaned-group-policy-objects","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-get-a-list-of-all-my-orphaned-group-policy-objects\/","title":{"rendered":"Hey, Scripting Guy! How Can Get a List of All My Orphaned Group Policy Objects?"},"content":{"rendered":"

\"Hey,<\/h2>\n

Hey, Scripting Guy! I have a problem. I have been elected, given the honor, granted the opportunity to excel (whatever management euphemism you wish to use to describe giving me more work) to clean up our Group Policy strategy. The problem is that the previous Group Policy administrator had no strategy. As a result there are dozens of Group Policy objects (GPOs) that go nowhere. I mean it is like a visit to the Winchester Mystery House<\/a> in San Jose, California. You know, that ghost house that has all the hallways that dead end into walls and stuff? As a result, the prospect of a cleanup operation scares me. My manager is not lying; it is an opportunity to excel, but at the same it is a bigger opportunity to fail. What I need to start off with is a list of all orphaned GPOs. Can you hook me up with a script?<\/p>\n

– JP<\/p>\n

\"Spacer\"\"Hey,<\/p>\n

Hi JP,<\/p>\n

You know Plato’s theory of forms comes to mind here. Perhaps the GPO you see is but the shadow of a real GPO. The real GPOs are the ones that are linked to objects in Active Directory and that have security filters applied to them. If this is true, all we need to do, according to Plato, is write a script that finds GPOs that are not linked anywhere.<\/p>\n\n<\/thead>\n\n\n
\n

This week is Group Policy week. We will spend the week looking at some of the things you can do using Windows PowerShell when you have access to the COM object that ships with the Group Policy Management Console. There are some good VBScripts that illustrate working with Group Policy in the Script Center Script Repository<\/a>, and in the Community-Submitted Scripts Center<\/a>. You can also download a collection of sample Group Policy management scripts<\/a>.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/div>\n

As it turns out, we already have a script that does that very thing. I originally wrote it for the Windows Server 2008 Resource Kit<\/a>, but I think it will serve your purposes perfectly. It is a little long (ok, it is very long), but we will focus our time on the more salient portions of this fine script. To see how to use the script, open Windows PowerShell and type the following command.<\/p>\n

FindUnlinkedGPOs.ps1 -help<\/pre>\n
The FindUnlinkedGPOs.ps1<\/b> script is seen here.<\/p>\n
FindUnlinkedGPOs.ps1<\/b><\/p>\n
param(
      $domain = $env:userDNSdomain,
      [switch]$query,
      [switch]$help,
      [switch]$examples,
      [switch]$min,
      [switch]$full
      ) #end param<\/p>\n
# Begin Functions<\/p>\n
function Get-HelpTopic()
{
$descriptionText= `
@”
NAME: FindUnlinkedGPOs.ps1
DESCRIPTION: Finds GPOs that are not linked 
anywhere in the domain. The domain can be 
specified, or by default it runs against the
current domain. <\/p>\n
PARAMETERS: 
-domain Domain to query for unlinked GPOs
-query Executes the query
-help prints help description and parameters file
-examples prints only help examples of syntax
-full prints complete help information
-min prints minimal help. Modifies -help<\/p>\n
“@ #end descriptionText<\/p>\n
$examplesText= `
@”<\/p>\n
SYNTAX:
FindUnlinkedGPOs.ps1 <\/p>\n
Displays missing query and calls help<\/p>\n
FindUnlinkedGPOs.ps1 -query<\/p>\n
Displays unlinked GPOs from the current domain<\/p>\n
FindUnlinkedGPOs.ps1  -domain “nwtraders.com”<\/p>\n
Displays unlinked GPOs from the nwtraders.com domain <\/p>\n
FindUnlinkedGPOs.ps1 -help<\/p>\n
Prints the help topic for the script<\/p>\n
FindUnlinkedGPOs.ps1 -help -full<\/p>\n
Prints full help topic for the script<\/p>\n
FindUnlinkedGPOs.ps1 -help -examples<\/p>\n
Prints only the examples for the script<\/p>\n
FindUnlinkedGPOs.ps1 -examples<\/p>\n
Prints only the examples for the script
“@ #end examplesText<\/p>\n
$remarks = `

REMARKS
     For more information, type: $($MyInvocation.ScriptName) -help -full
” #end remarks<\/p>\n
  if($examples) { $examplesText ; $remarks ; exit }
  if($full)     { $descriptionText; $examplesText ; exit } 
  if($min)      { $descriptionText ; exit }
  $descriptionText; $remarks 
  exit
} #end Get-HelpTopic function<\/p>\n
function New-Line (
                  $strIN,
                  $char = “=”,
                  $sColor = “Yellow”,
                  $uColor = “darkYellow”,
                  [switch]$help
                 )
{
if($help)
  {
    $local:helpText = `
@”
     New-Line accepts inputs: -strIN for input string and -char for seperator
     -sColor for the string color, and -uColor for the underline color. Only 
     the -strIn is required. The others have the following default values:
     -char: =, -sColor: Yellow, -uColor: darkYellow
     Example:
     New-Line -strIN “Hello world”
     New-Line -strIn “Morgen welt” -char “-” -sColor “blue” -uColor “yellow”
     New-Line -help
“@
   $local:helpText
   break
  } #end New-Line help
  
$strLine= $char * $strIn.length
Write-Host -ForegroundColor $sColor $strIN 
Write-Host -ForegroundColor $uColor $strLine
} #end New-Line function<\/p>\n
Function Get-UnlinkedGPO()
{
$gpm=New-Object -ComObject gpmgmt.gpm
$constants = $gpm.GetConstants()
$gpmDomain = $gpm.GetDomain($domain,$null,$constants.useanydc)
$gpmSearchCriteria = $gpm.CreateSearchCriteria()
$gpoList= $gpmDomain.SearchGPOs($gpmSearchCriteria)<\/p>\n
New-Line(“GPO’s that are not linked anywhere in $domain”)
$unlinkedGPO = 0
foreach($objGPO in $gpoList)
{
  $gpmSearchCriteria = $gpm.CreateSearchCriteria()
  $gpmSearchCriteria.add($constants.SearchPropertySomLinks, $constants.SearchOpContains, $objGPO)
  $somList = $gpmDomain.SearchSoms($gpmSearchCriteria)
   if($somList.count -eq 0)
     { 
      “$($objGPO.id) `t $($objGPO.displayname)” 
      $unlinkedGPO +=1
     }
}
if($unlinkedGPO -eq 0) 
  { 
   New-Line -strin “There are no unlinked GPOs in $domain” -scolor green
  }
exit
} #end Get-UnlinkedGPO<\/p>\n
# Entry Point<\/p>\n
if($help)      { Get-HelpTopic }
if($examples)  { Get-HelpTopic }
if($full)      { Get-HelpTopic }
if($query)     { Get-UnlinkedGPO }
if(!$query)    { “Missing query.” ; Get-HelpTopic }
 <\/p>\n
The FindUnlinkedGPOs.ps1<\/b> script begins with the parameters. To create parameters, we use the Param<\/b> statement. To obtain a default value for the domain, we use the environmental variable userDNSdomain<\/b>. We obtain this value from the environmental drive created by the Windows PowerShell environmental provider. Because this is a Windows PowerShell drive, we can actually use the dir<\/b> command, as seen here:<\/p>\n
Dir env:<\/pre>\n
We are using a shortcut to obtain the name of the users domain, and we assign it to the $domain<\/b> variable. The param<\/b> statement is seen here:<\/p>\n
param(\n      $domain = $env:userDNSdomain,\n      [switch]$query,\n      [switch]$help,\n      [switch]$examples,\n      [switch]$min,\n      [switch]$full\n      ) #end param\n<\/pre>\n
The next two functions are Get-HelpTopic<\/b> and New-Line<\/b>. For a good discussion of those two functions refer to yesterday’s “Hey, Scripting Guy!” article<\/a>.<\/p>\n
We now come to the meat of the script, the Get-UnlinkedGPO<\/b> function. The first thing we need to do is to create an instance of the gpmgmt.gpm<\/b> COM object. We use the New-Object<\/b> cmdlet to create the object, and we store it in the $gpm<\/b> variable as seen here:<\/p>\n
$gpm=New-Object -ComObject gpmgmt.gpm<\/pre>\n
Next we need to create the constants. To create the Group Policy constants, we use the GetConstants<\/b> method from the gpmgmt.gpm<\/b> COM object. We store the constants in the $constants<\/b> variable:<\/p>\n
$constants = $gpm.GetConstants()<\/pre>\n
We connect to the domain by using the GetDomain<\/b> method. When we connect to the domain, we need to tell it which domain to connect to, and we also need to tell it how to make the connection. In our example, we give it the domain that is contained in the $domain<\/b> variable, and we use the useanydc<\/b> constant to tell it to connect to any domain controller it can find within our specified domain. We store the domain in the $gpmDomain<\/b> variable:<\/p>\n
$gpmDomain = $gpm.GetDomain($domain,$null,$constants.useanydc)<\/pre>\n
Now we create the search criteria. To do this, we use the CreateSearchCriteria<\/b> method, and we store the returned search criteria object in the $gpmSearchCriteria<\/b> variable. We then call the SearchGPOs<\/b> method and pass it the search criteria. This is seen here:<\/p>\n
$gpmSearchCriteria = $gpm.CreateSearchCriteria()\n $gpoList= $gpmDomain.SearchGPOs($gpmSearchCriteria)\n<\/pre>\n
Now we need to create a new search criteria so that we can look for GPOs that are not linked. In the previous command we used a default search criteria. Now we need to use the Group Policy constants to tell the search criteria exactly what we are looking for. We tell it we are looking for SomLinks<\/b>. We then use the new search criteria and call the SearchSoms<\/b> method. The resultant SolList<\/b> is stored in the $somList<\/b> variable. This is seen here:<\/p>\n
$gpmSearchCriteria = $gpm.CreateSearchCriteria()\n$gpmSearchCriteria.add($constants.SearchPropertySomLinks, $constants.SearchOpContains, $objGPO)\n$somList = $gpmDomain.SearchSoms($gpmSearchCriteria)\n<\/pre>\n
If the $SomList<\/b> variable has a count of 0, it means there were no links found for the GPO. We print out the GPO display name and increment the $unlinkedGPO<\/b> counter variable:<\/p>\n
if($somList.count -eq 0)\n     {\n      \"$($objGPO.id) `t $($objGPO.displayname)\"\n      $unlinkedGPO +=1\n     }\n<\/pre>\n
When we are done, if there are no unlinked GPOs, we display a message in green:<\/p>\n
if($unlinkedGPO -eq 0)\n  {\n   New-Line -strin \"There are no unlinked GPOs in $domain\" -scolor green\n  }\n Exit\n<\/pre>\n
The entry point to the script is used to parse the command-line arguments and to call the appropriate functions:<\/p>\n
if($help)      { Get-HelpTopic }\nif($examples)  { Get-HelpTopic }\nif($full)      { Get-HelpTopic }\nif($query)     { Get-UnlinkedGPO }\nif(!$query)    { \"Missing query.\" ; Get-HelpTopic }\n<\/pre>\n
When the script is run and an unlinked GPO is found, the output is similar to what is shown here:<\/p>\n
\"Image<\/p>\n
 <\/p>\n
Well, JP, I hope I have shown you that you have nothing to be scared of in tackling a Group Policy cleanup project. Using the object model available to us from the Group Policy Management Console, it is rather easy to find orphaned GPOs. Join us tomorrow as Group Policy Week continues.<\/p>\n
 <\/p>\n
Ed Wilson and Craig Liebendorfer, Scripting Guys<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! I have a problem. I have been elected, given the honor, granted the opportunity to excel (whatever management euphemism you wish to use to describe giving me more work) to clean up our Group Policy strategy. The problem is that the previous Group Policy administrator had no strategy. As a result there […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[152,3,45],"class_list":["post-54423","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-group-policy","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! I have a problem. I have been elected, given the honor, granted the opportunity to excel (whatever management euphemism you wish to use to describe giving me more work) to clean up our Group Policy strategy. The problem is that the previous Group Policy administrator had no strategy. As a result there […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=54423"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54423\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=54423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=54423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=54423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}