{"id":54433,"date":"2009-02-09T21:05:00","date_gmt":"2009-02-09T21:05:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/02\/09\/hey-scripting-guy-how-can-i-list-all-group-policy-objects-in-a-domain\/"},"modified":"2009-02-09T21:05:00","modified_gmt":"2009-02-09T21:05:00","slug":"hey-scripting-guy-how-can-i-list-all-group-policy-objects-in-a-domain","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-list-all-group-policy-objects-in-a-domain\/","title":{"rendered":"Hey, Scripting Guy! How Can I List All Group Policy Objects in a Domain?"},"content":{"rendered":"

\"Hey, <\/h2>\n

Hey, Scripting Guy! Do you ever wonder how some people ever get their jobs? We had a guy who was hired to organize our Group Policy implementation. The person was a loser. I mean, I do not think he could even spell Group Policy. Needless to say, the whole thing has morphed into some kind of Salvador Dali Space Elephant<\/a> that bears little resemblance to the original plan. I know you wrote a book on Active Directory design a few years ago, and I would love to hire you to come straighten this mess out, but I guess that is out of the question. Can I at least get you to write me a script that will tell me what Group Policy objects we have?<\/p>\n

– LW<\/p>\n

\"Spacer\"\"Hey,<\/p>\n

Hi LW,<\/p>\n

So you are the one that bought a copy of that book. Thanks. I wrote a series of Windows PowerShell scripts for the Windows Server 2008 Resource Kit<\/a>; 10 of the scripts were for Group Policy. In Windows Server 2008 R2, there is a series of Group Policy cmdlets that provide for native Windows PowerShell support. We can also use the COM object that ships with the Group Policy Management Console. The cool thing about this is that the Group Policy Management Console is included in the Microsoft Remote Server Administration Tools (RSAT Tools) for Windows Vista<\/a>. You can also download it for other versions of the Windows operating system<\/a>. On Windows Server 2008, you gain access to the Group Policy Management Console when you install the Group Policy Management feature from within Server Manager. <\/p>\n\n<\/thead>\n\n\n
\n

This week is Group Policy week. We will spend the week looking at some of the things you can do using Windows PowerShell when you have access to the COM object that ships with the Group Policy Management Console. There are some good VBScripts that illustrate working with Group Policy in the Script Center Script Repository<\/a>, and in theCommunity-Submitted Scripts Center<\/a>. You can also download a collection of sample Group Policy management scripts<\/a>.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/div>\n

The ListAllGPOs.ps1<\/b> script will list all Group Policy Objects (GPOs) in your current domain. You can query for a list of all GPOs in your current domain by running the script with the -q<\/b> switch. If you use -q<\/b> and -v<\/b>, you will get a GPO verbose listing, which includes detailed information about the Group Policy objects. Help with the syntax can be obtained by using -h<\/b>, -e<\/b>, and -f<\/b>. You can type the full switch names if you wish, but there is no real reason to do so unless you just feel the need to practice your typing skills. Here are a few examples of the syntax for launching thescript: <\/p>\n

ListAllGPOs.ps1 -q\nListAllGPOs.ps1 -q -v\nListAllGPOs.ps1 -h\nListAllGPOs.ps1 -e\nListAllGPOs.ps1 -f\n<\/pre>\n
The complete ListALlGPOs.ps1<\/b> script is seen here:<\/p>\n
ListAllGPOs.ps1<\/b><\/p>\n
param(\n      $domain = $env:userDNSdomain,\n      [switch]$query,\n      [switch]$verbose,\n      [switch]$help,\n      [switch]$examples,\n      [switch]$min,\n      [switch]$full\n      ) #end param\n# Begin Functions\nfunction Get-HelpTopic()\n{\n $descriptionText= `\n@\"\n NAME: ListAllGPOs.ps1\n DESCRIPTION:\n Returns detailed information about all GPOs in\n the selected domain\n PARAMETERS:\n -domain domain to return GPO information\n -query perform the query. By default returns name\n  and guid of GPO\n -verbose returns extended GPO information\n -help prints help description and parameters file\n -examples prints only help examples of syntax\n -full prints complete help information\n -min prints minimal help. Modifies -help\n\"@ #end descriptionText\n$examplesText= `\n@\"\n SYNTAX:\n ListAllGPOs.ps1\n Displays an error missing query, and calls help\n ListAllGPOs.ps1  -query\n Lists name and guid of the GPOs in current domain\n ListAllGPOs.ps1 -query -domain \"nwtraders.com\" -verbose\n Lists detailed GPO information about the GPOs in\n nwtraders.com domain\n ListAllGPOs.ps1 -help\n Prints the help topic for the script\n ListAllGPOs.ps1 -help -full\n Prints full help topic for the script\n ListAllGPOs.ps1 -help -examples\n Prints only the examples for the script\n ListAllGPOs.ps1 -examples\n Prints only the examples for the script\n\"@ #end examplesText\n$remarks = `\n\"\nREMARKS\n     For more information, type: $($MyInvocation.ScriptName) -help -full\n\" #end remarks\n  if($examples) { $examplesText ; $remarks ; exit }\n  if($full)     { $descriptionText; $examplesText ; exit }\n  if($min)      { $descriptionText ; exit }\n  $descriptionText; $remarks\n  exit\n} #end Get-HelpTopic function\nfunction New-Line (\n                  $strIN,\n                  $char = \"=\",\n                  $sColor = \"Yellow\",\n                  $uColor = \"darkYellow\",\n                  [switch]$help\n                 )\n{\n if($help)\n  {\n    $local:helpText = `\n@\"\n     New-Line accepts inputs: -strIN for input string and -char for seperator\n     -sColor for the string color, and -uColor for the underline color. Only\n     the -strIn is required. The others have the following default values:\n     -char: =, -sColor: Yellow, -uColor: darkYellow\n     Example:\n     New-Line -strIN \"Hello world\"\n     New-Line -strIn \"Morgen welt\" -char \"-\" -sColor \"blue\" -uColor \"yellow\"\n     New-Line -help\n\"@\n   $local:helpText\n   break\n  } #end New-Line help\n $strLine= $char * $strIn.length\n Write-Host -ForegroundColor $sColor $strIN\n Write-Host -ForegroundColor $uColor $strLine\n} #end New-Line function\nFunction Get-GPO()\n{\n New-Line(\"Listing GPOs from $domain\")\n $gpm=New-Object -ComObject gpmgmt.gpm\n $constants = $gpm.GetConstants()\n $gpmDomain = $gpm.GetDomain($domain,$null,$constants.useanydc)\n $gpmSearchCriteria = $gpm.CreateSearchCriteria()\n $gpo=$gpmdomain.SearchGPOs($gpmSearchCriteria)\n if($verbose)\n  {\n   $gpo\n  }\n ELSE\n  {\n   foreach($ogpo in $gpo)\n    {\n     $hash += @{ $ogpo.ID = $ogpo.DisplayName }\n    }\n     format-table -inputobject $hash -autosize\n  } #end else\n exit\n} #end Get-GPO\n# Entry Point\nif($help)      { Get-HelpTopic }\nif($examples)  { Get-HelpTopic }\nif($full)      { Get-HelpTopic }\nif($query)     { Get-GPO }\nif(!$query)    { \"Missing query\" ; Get-HelpTopic }\n<\/pre>\n
The first thing we do in the ListAllGPOs.ps1<\/b> script is define some command-line parameters. The command-line parameters are used to control the way the script behaves at run time. They are very similar to the VBScript command-line arguments<\/a>. If you want to supply a default value for a command-line parameter, you make a value assignment when you specify the variable that will be used to hold the parameter. If you want to make a switched parameter, you use the [switch]<\/b> type alias to convert the parameter from a normal parameter to a switched parameter. A switched parameter is one that is a Boolean value (yes\/no, true\/false), and it only does something when it is present. If the switched parameter is not present on the command line, it is ignored. You do not supply a value when you use a switched parameter, because its very presence changes the behavior of the script: <\/p>\n
param(\n      $domain = $env:userDNSdomain,\n      [switch]$query,\n      [switch]$verbose,\n      [switch]$help,\n      [switch]$examples,\n      [switch]$min,\n      [switch]$full\n      ) #end param\n<\/pre>\n
The first function we come to in the script is the Get-HelpTopic<\/b> function. The Get-HelpTopic<\/b> function consumes most of the lines in the script. It is made up of a series of Here-Strings<\/b>. Here-Strings<\/a> allow you to type information without worrying about things such as escaping special characters. It is a what-you-see-is-what-you-get (WYSIWYG<\/a>) sort of thing that makes it perfect for developing command-line Help for your script. The Get-HelpTopic<\/b> function is essentially three large Here-Strings<\/b>, each of which is assigned to a separate variable. The contents of a particular variable are displayed based upon which switched parameter is supplied from the command line. For more information about this technique, you can refer to the Microsoft Press book, Windows PowerShell Scripting Guide<\/a>. The Get-HelpTopic<\/b> function is seen here, with most of the Here-Strings<\/b> edited out (this will allow you to study the way the function works, without the distraction of dozens of lines of text; the complete function is, of course, shown in the program listing at the beginning of this article):<\/p>\n
function Get-HelpTopic()\n{\n $descriptionText= `\n@\"\n NAME: ListAllGPOs.ps1\n DESCRIPTION:\n\"@\n$examplesText= `\n@\"\n SYNTAX:\n ListAllGPOs.ps1\n\"@\n$remarks = `\n\"\nREMARKS\n\"@\nif($examples) { $examplesText ; $remarks ; exit }\n  if($full)     { $descriptionText; $examplesText ; exit }\n  if($min)      { $descriptionText ; exit }\n  $descriptionText; $remarks\n  exit\n} #end Get-HelpTopic function\n<\/pre>\n
The New-Line<\/b> function is based upon a function I wrote years ago in VBScript. I have since modified it nearly a dozen times, but the essential capabilities remain the same. It takes the length of a line of text, and creates a line of text that is exactly the same length as the data that is being highlighted via the underline. It is a wonderful function (if I do say so myself), and I used it so much, it is included in my Windows PowerShell profile. The working code for the function (without the associated Help text) is seen here: <\/p>\n
$strLine= $char * $strIn.length\n Write-Host -ForegroundColor $sColor $strIN\n Write-Host -ForegroundColor $uColor $strLine\n<\/pre>\n
The essential functionality of the script is contained in the Get-GPO<\/b> function. To work with Group Policy, we need to create an instance of the gpmgmt.gpm<\/b> COM object. To do this, we use the New-Object<\/b> cmdlet with the -ComObject<\/b> parameter as seen here: <\/p>\n
$gpm=New-Object -ComObject gpmgmt.gpm<\/pre>\n
Next we need to retrieve the constants we will use when we connect to the domain. To obtain the constants, all we need to do is use the GetConstants<\/b> method as seen here:<\/p>\n
$constants = $gpm.GetConstants()<\/pre>\n
Now we need to connect to the domain. To do this, we use the GetDomain<\/b> method and pass it the domain name, which we have stored in the $domain<\/b> variable, and we use the constant, which allows us to connect to any domain controller:<\/p>\n
$gpmDomain = $gpm.GetDomain($domain,$null,$constants.useanydc)<\/pre>\n
Now we need to create the search criteria. To do this, we use the CreateSearchCriteria<\/b> method. The returned SearchCriteria<\/b> object is stored in the $gpmSearchCriteria<\/b> variable and passed to the SearchGPO<\/b> method as seen here:<\/p>\n
$gpmSearchCriteria = $gpm.CreateSearchCriteria()\n$gpo=$gpmdomain.SearchGPOs($gpmSearchCriteria)\n<\/pre>\n
When we have the collection of Group Policy objects, we now look to see if the script was run with the -verbose<\/b> parameter. If it was, we display all the information about the Group Policy object. If the script was not run with the -verbose<\/b> parameter, we display only the name of the GPO. The code that makes this determination is seen here:<\/p>\n
if($verbose)\n  {\n   $gpo\n  }\n ELSE\n  {\n   foreach($ogpo in $gpo)\n    {\n     $hash += @{ $ogpo.ID = $ogpo.DisplayName }\n    }\n     format-table -inputobject $hash -autosize\n  } #end else\n<\/pre>\n
The complete Get-GPO<\/b> function is seen here:<\/p>\n
Function Get-GPO()\n{\n New-Line(\"Listing GPOs from $domain\")\n $gpm=New-Object -ComObject gpmgmt.gpm\n $constants = $gpm.GetConstants()\n $gpmDomain = $gpm.GetDomain($domain,$null,$constants.useanydc)\n $gpmSearchCriteria = $gpm.CreateSearchCriteria()\n $gpo=$gpmdomain.SearchGPOs($gpmSearchCriteria)\n if($verbose)\n  {\n   $gpo\n  }\n ELSE\n  {\n   foreach($ogpo in $gpo)\n    {\n     $hash += @{ $ogpo.ID = $ogpo.DisplayName }\n    }\n     format-table -inputobject $hash -autosize\n  } #end else\n exit\n} #end Get-GPO\n<\/pre>\n
When the script is run, it produces an output similar to what you see here: <\/p>\n
\"Image<\/p>\n
 <\/p>\n
Well, LW, that is it for gathering a listing of all the GPOs that are defined in the domain. Join us tomorrow as Group Policy Week continues, when we will look at finding unlinked GPOs. Until then, peace. <\/p>\n
 <\/p>\n
Ed Wilson and Craig Liebendorfer, Scripting Guys<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! Do you ever wonder how some people ever get their jobs? We had a guy who was hired to organize our Group Policy implementation. The person was a loser. I mean, I do not think he could even spell Group Policy. Needless to say, the whole thing has morphed into some kind […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[152,3,45],"class_list":["post-54433","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-group-policy","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! Do you ever wonder how some people ever get their jobs? We had a guy who was hired to organize our Group Policy implementation. The person was a loser. I mean, I do not think he could even spell Group Policy. Needless to say, the whole thing has morphed into some kind […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=54433"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54433\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=54433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=54433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=54433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}