Use PowerShell to Get GPO Status Flag

Here's an interesting little exercise in using Get-ADObject to see which parts of a Group Policy are enabled or disabled. By parts, I mean the User or Computer settings.




Over to Get-ADObject...

New-Variable -Name UE_CE -Value 0 -Option Constant #User Enabled / Computer Enabled
New-Variable -Name UD_CE -Value 1 -Option Constant #User Disabled / Computer Enabled
New-Variable -Name UE_CD -Value 2 -Option Constant #User Enabled / Computer Disabled
New-Variable -Name UD_CD -Value 3 -Option Constant #User Disabled / Computer Disabled
#Get systems container
$SysCont = (Get-ADDomain).SystemsContainer
#Find user disabled 
Get-ADObject -SearchBase "CN=Policies,$SysCont" -Filter {(ObjectClass -eq "GroupPolicyContainer") -and (flags -eq $UE_CD)} -Properties DisplayName | Select DisplayName


The constants translate to the numeric values found in the flags attribute on each Group Policy Container (GPC). The GPCs can be found in the Policies container, in the Systems Container within the domain partition, e.g. "CN=Policies,CN=System,DC=halo,DC=net".

The Get-ADObject cmdlet uses this container as a search base and filters on objects that are of the GroupPolicyContainer type and have a specific flag - 'User Enabled / Computer Disabled'.




Obviously, you can change the flag type to pull back different configurations, e.g. 'User Disabled / Computer Enabled', ergo $UD_CE