How to list OU that a GPO is applied to

[PreviousPoster]

Is there a native command line utility that will spit out all the OUs that a particular GPO is applied to? I know I can view it in GPMC >> Scope, but I want a text output that I can copy and paste.

Thanks!

[AdamV]

You might be able to pull this stuff out using dsquery and LDAP syntax, but it could get messy.

Basically, GP links are stored as attributes of the container in question (OU, site or domain). These gPLink attributes can be seen using adsiedit, and you will see they list the GUIDs of all policies linked at that container, so any query you run against an OU may give you multiple answers in return. you would then need to translate the GUIDs back to whatever you have named the policies.

This is also backwards from the way you phrased the question. As far as I know there is no way for a give GPO to find where it is linked, it is all the other way round because of the one-to-many mapping. This unfortunately means that it is not easy to identify 'orphaned' policies which are no longer linked to any containers.

You might find some useful information and be able to use the free PowerShell tools from the links in this article by MVP Darren Mar-Elia:
http://sdmsoftware.com/blog/2007/12/the_clash_of_the_gpo_links.html

[PreviousPoster]

You might be able to pull this stuff out using dsquery and LDAP syntax, but it could get messy.

Basically, GP links are stored as attributes of the container in question (OU, site or domain). These gPLink attributes can be seen using adsiedit, and you will see they list the GUIDs of all policies linked at that container, so any query you run against an OU may give you multiple answers in return. you would then need to translate the GUIDs back to whatever you have named the policies.

This is also backwards from the way you phrased the question. As far as I know there is no way for a give GPO to find where it is linked, it is all the other way round because of the one-to-many mapping. This unfortunately means that it is not easy to identify 'orphaned' policies which are no longer linked to any containers.

You might find some useful information and be able to use the free PowerShell tools from the links in this article by MVP Darren Mar-Elia:
http://sdmsoftware.com/blog/2007/12/the_clash_of_the_gpo_links.html

thanks for the response, sorry it took so long to get back, but I was in a serious car accident shortly after my original post and I am just getting back to work.

I am using the ADSI tool, but I am not sure what you mean by using dsquery. The only attributes that are searchable on OUs are Name, Desciption, and Managed By. None of these attributes that I am aware of contain the GUIDs for GPOs that are applied to them.

am I understanding this correctly?



EDIT: I see what you mean now. In ADSI you can go to advanced and wirte an LDAP query and I can put in the DLAP GUID of my policy which is gPLink: [LDAP://cn={8B59263E-657D-42D8-AB7D-8B761813B870}

[PreviousPoster]

Still having trouble with this one.

I can go into ADSI edit and view the attribute of the target OU and see it's gPLink of [LDAP://cn={8B59263E-657D-42D8-AB7D-8B761813B870}.

So I assume I need to somehow perform a search/query against the OUs to extract their attributes, specifically the gPlink attribute, associated with the string [LDAP://cn={8B59263E-657D-42D8-AB7D-8B761813B870} and then all OUs having this attribute will be returned.

Not sure how to do this, any help would be greatly appreciated.

[PreviousPoster]

Ok, I used the LDP.exe tool gotten from the Server 2003 support tools.
I also tried out the ADFIND utility gotten from http://www.joeware.net/freetools/tools/adfind/index.htm


Basically I just typed the following string in the filter section of a LDP search:

(gPLink=[LDAP://cn={8B59263E-657D-42D8-AB7D-8B761813B870},cn=policies,cn=system,DC=mydomain;0])

And before searching, if I click on Options and under attributes and type dn, then only the OU names will be returned, which makes it much easier to sort through.

If using the ADFIND utility the command is adfind -b dc=mydomain attr list dn -f "gPLink=[LDAP://cn={8B59263E-657D-42D8-AB7D-8B761813B870},cn=policies,cn=system,DC=mydomain
cal;0]

the output of ADFIND is a bit cleaner and easier to read due to it being based in the command line


thanks for your help in getting pointed in the right direction. I always forget about the power of LDAP searches in LDP.