I had a question come up today about a use case for our GPMC cmdlets and figured it was worth sharing for other’s benefit. Here’s the scenario. I have a GPO who’s name I know. I want to find all the places that its linked and then I want disable all the links for that GPO. And I want to use PowerShell to do it because, well, I can!

So here we go. The first thing we need to do is search for all the links for a given GPO, using the get-sdmgplink cmdlet like this:

$scopes = get-sdmgplink -Name "My GPO"

In this example, I’m using the ability of this cmdlet to search for links by GPO name (using the -Name parameter). Once I’ve got the list of my scopes, I want to feed that into a set of commands to disable the links, like this:

$scopes = get-sdmgplink -Name "My GPO"
$gpo = get-SDMGPO "My GPO"
foreach ($scope in $scopes)
{
   $links = get-sdmgplink -Scope $scope.Path -native
   foreach ($link in $links)
   {
       if ($link.GPOID -eq $gpo.ID){$link.enabled = $false}
   }
}

So, what I’m doing here is first getting the list of DNs that contain a link to the GPO called "My GPO". Then I call the get-sdmgpo cmdlet to get the GUID of the GPO to use later. Then I foreach through each scope I returned in the first call, and pass that to a call to get-sdmgplink again. Except this time, I am using the -Scope parameter to search by DN (returned as the Path property on the $scope variable). Once I get the list of links on that scope, I next foreach through them to find the one that corresponds to my GPO (by checking the GPO ID of the link compared to that of the GPO I want to search on). Once I find my GPO, I set that link’s enabled property equal to false.

Note that in my 2nd call to get-sdmgplink, I pass in the optional -Native parameter, which lets me get back the actual GPMC object that has the enabled property on it. This is important because if I don’t use this param, the call to .enabled will fail!

Well, hope that helps someone out there!

Tags:

Group Policy, PowerShell, GPMC, SDM Software