In a previous post, I mentioned that the Group Policy Health Cmdlet was now a free download at www.sdmsoftware.com/freeware. The Health Cmdlet is a PowerShell utility for collecting Group Policy processing health against one or more remote systems. The cmdlet returns a "health object" that contains a number of properties related to the target systems’ Group Policy processing, as shown here:
What you notice is that some properties are pretty straightforward, like the domain name, hostname, loopback status, etc. However, some properties are more complicated. For example, the ComputerGPOsProcessed property is actually a collection of objects that define the GPOs processed by the computer. Those GPO objects each have their own set of properties. So, how can you quickly get to one of these property collections if you just want to know that information. Well, PowerShell provides the select-object cmdlet (aka "select") that you can use to select a property and expand it out in one step for example, if I wanted to see a list of GPOs processed by the computer on my target system called sdm2, I can simply type:
Get-SDMGPHealth -ComputerName sdm2 | select -expand ComputerGPOsProcessed |fl
which will just list out the GPOs processed by the computer, like this:
DisplayName : Local Group Policy
GPLink : Local
Version : GPT Version: 0000, GPC Version: 0000
DisplayName : Default Domain Policy
GPLink : DC=cpandl,DC=com
Version : GPT Version: 003A, GPC Version: 003A
DisplayName : Desktop Policy Manager: Marketing User Lockdown – {C0D4FBAE-3952-
4A3E-89BF-90AC4AFC3FFF}
GPLink : DC=cpandl,DC=com
Version : GPT Version: FFFF, GPC Version: 0000
DisplayName : Desktop Policy Manager: Sales Users Lockdown – {C30783C6-A0D9-4B9
C-B2A3-A21FA0BADC5E}
GPLink : DC=cpandl,DC=com
Version : GPT Version: FFFF, GPC Version: 0000
DisplayName : Desktop Policy Manager: Engineering Department Lockdown – {1D9875
10-9ADB-4102-BFAC-B3027518D0F6}
GPLink : DC=cpandl,DC=com
Version : GPT Version: FFFF, GPC Version: 0000
DisplayName : Restricted Groups AD test
GPLink : OU=Domain Controllers,DC=cpandl,DC=com
Version : GPT Version: FFFF, GPC Version: 0005
DisplayName : Default Domain Controllers Policy
GPLink : OU=Domain Controllers,DC=cpandl,DC=com
Version : GPT Version: 004E, GPC Version: 004E
The other main property collections on the Health object are the ComputerCSEsProcessed and UserCSEsProcessed. These objects are a bit more complicated because they actually contain a collection of collections. Namely, these properties list each Client Side Extension that ran for the computer or user, and then within each of those, it lists the GPOs that were called by that CSE. Each of those GPO objects contains properties that include the GPO name, the last time the CSE ran for that GPO and where the GPO was linked.
So, let’s say we want to find out all the GPOs that processed security policy for the computer. That can be done in a single PowerShell command by using the following syntax:
Get-SDMGPHealth -ComputerName sdm2 | select -expand ComputerCSEsProcessed |
where {$_.ExtensionName -contains "Security"} | select -expand GPObyCSE |fl
When I issue this command, I get the following output:
DisplayName : Default Domain Policy
GPLink : LDAP://DC=cpandl,DC=com
LastProcessingTime : 1/9/2009 2:31:00 PM
CseStatus : The operation completed successfully
DisplayName : Default Domain Controllers Policy
GPLink : LDAP://OU=Domain Controllers,DC=cpandl,DC=com
LastProcessingTime : 1/9/2009 2:31:00 PM
CseStatus : The operation completed successfully
Which tells me that the Security CSE ran two GPOs and that they both ran successfully at the times given above. If they had not run successfully, the actual error message returned by the CSE would be shown here.
Hope this helps folks get more value out of the cmdlet (and thanks to PowerShell MVP Brandon Shell for helping me work through the syntax!)
Darren
Tags
PowerShell, Group Policy, Group Policy Health, SDM Software
JAN
About the Author:
Darren Mar-Elia is CTO & Founder of SDM Software, Inc. Darren has over 25 years of IT and Software experience in the Microsoft technology area, including serving as a Director in Infrastructure at Charles Schwab, CTO of Windows Management Solutions at Quest Software, and Sr. Director of Product Engineering at DesktopStandard. He has been a Microsoft MVP in Group Policy technology for the last 6 years and has written and spoken on Active Directory, Group Policy and PowerShell topics frequently over the years. He maintains the popular Group Policy resource web site at www.gpoguy.com and has been a contributing editor for Windows IT Pro Magazine since 1997. He has written and contributed to twelve books on Windows. Darren also speaks frequently at conferences on Windows infrastructure topics.