1 min read

Get unlinked GPOs with PowerShell

October 6, 2017

In terms of IT compliance having valid GPOs is essential. They must be update to date and the GPO directory should be free of any unlinked GPOs. Retrieving a list of unlinked GPOs in the management console is impossible. With PowerShell it is quite easy.

Take this function for example:

Get-UnlinkedGPOs.ps1

function Get-UnlinkedGPOs {

    Import-Module GroupPolicy
    
    $Report = @() 
    $GPOs = Get-GPO -All
    $GPOs | ForEach-Object { 

        $GPO = $_

	    Write-Progress -Activity "Get GPO settings" -status "Analyze GPO: $($GPO.DisplayName)" -percentComplete ([int]([array]::IndexOf($GPOs, $GPO)/$GPOs.Count*100))
        
        $GPOReport = ([XML]$($GPO | Get-GPOReport -ReportType Xml)).GPO

        If(($GPOReport.LinksTo -eq $null) -or (-not ($GPOReport.LinksTo | Where-Object{$_.Enabled -eq $true}))){
            $Report += $GPO
        }
    }
     
    If ($Report.Count -eq 0) {
        Wirte-Warning "No unlinked GPOs found" 
    }else{ 
        return $Report
    }
}

Make sure the group policy PowerShell module is installed.

Once the function is available in your shell you can things like: Get-UnlinkedGPOs | Select DisplayName, GpoStatus | Sort-Object DisplayName | Format-Table

Categories: scripting
Tags: compliance , group policy , powershell , reporting
Improve this page
Show statistic for this page