Use PowerShell to Get GPO Status Flag

  • Article

Here's an interesting little exercise in using Get-ADObject to see which parts of a Group Policy are enabled or disabled. By parts, I mean the User or Computer settings.

 

Capture167

 

Over to Get-ADObject...

  
#Constants
New-Variable -Name UE_CE -Value 0 -Option Constant #User Enabled / Computer Enabled
New-Variable -Name UD_CE -Value 1 -Option Constant #User Disabled / Computer Enabled
New-Variable -Name UE_CD -Value 2 -Option Constant #User Enabled / Computer Disabled
New-Variable -Name UD_CD -Value 3 -Option Constant #User Disabled / Computer Disabled
 
 
#Get systems container
$SysCont = (Get-ADDomain).SystemsContainer
 
#Find user disabled 
Get-ADObject -SearchBase "CN=Policies,$SysCont" -Filter {(ObjectClass -eq "GroupPolicyContainer") -and (flags -eq $UE_CD)} -Properties DisplayName | Select DisplayName

 

The constants translate to the numeric values found in the flags attribute on each Group Policy Container (GPC). The GPCs can be found in the Policies container, in the Systems Container within the domain partition, e.g. "CN=Policies,CN=System,DC=halo,DC=net".

The Get-ADObject cmdlet uses this container as a search base and filters on objects that are of the GroupPolicyContainer type and have a specific flag - 'User Enabled / Computer Disabled'.

 

Capture168

 

Obviously, you can change the flag type to pull back different configurations, e.g. 'User Disabled / Computer Enabled', ergo $UD_CE