Select Page

In a previous post, I mentioned that the Group Policy Health Cmdlet was now a free download at www.sdmsoftware.com/freeware. The Health Cmdlet is a PowerShell utility for collecting Group Policy processing health against one or more remote systems. The cmdlet returns a "health object" that contains a number of properties related to the target systems’ Group Policy processing, as shown here:

 

GP Health Cmdlet Output

What you notice is that some properties are pretty straightforward, like the domain name, hostname, loopback status, etc. However, some properties are more complicated. For example, the ComputerGPOsProcessed property is actually a collection of objects that define the GPOs processed by the computer. Those GPO objects each have their own set of properties. So, how can you quickly get to one of these property collections if you just want to know that information. Well, PowerShell provides the select-object cmdlet (aka "select") that you can use to select a property and expand it out in one step for example, if I wanted to see a list of GPOs processed by the computer on my target system called sdm2, I can simply type:

Get-SDMGPHealth -ComputerName sdm2 | select -expand ComputerGPOsProcessed |fl

which will just list out the GPOs processed by the computer, like this:

DisplayName : Local Group Policy
GPLink      : Local
Version     : GPT Version: 0000, GPC Version: 0000

DisplayName : Default Domain Policy
GPLink      : DC=cpandl,DC=com
Version     : GPT Version: 003A, GPC Version: 003A

DisplayName : Desktop Policy Manager: Marketing User Lockdown – {C0D4FBAE-3952-
              4A3E-89BF-90AC4AFC3FFF}
GPLink      : DC=cpandl,DC=com
Version     : GPT Version: FFFF, GPC Version: 0000

DisplayName : Desktop Policy Manager: Sales Users Lockdown – {C30783C6-A0D9-4B9
              C-B2A3-A21FA0BADC5E}
GPLink      : DC=cpandl,DC=com
Version     : GPT Version: FFFF, GPC Version: 0000

DisplayName : Desktop Policy Manager: Engineering Department Lockdown – {1D9875
              10-9ADB-4102-BFAC-B3027518D0F6}
GPLink      : DC=cpandl,DC=com
Version     : GPT Version: FFFF, GPC Version: 0000

DisplayName : Restricted Groups AD test
GPLink      : OU=Domain Controllers,DC=cpandl,DC=com
Version     : GPT Version: FFFF, GPC Version: 0005

DisplayName : Default Domain Controllers Policy
GPLink      : OU=Domain Controllers,DC=cpandl,DC=com
Version     : GPT Version: 004E, GPC Version: 004E

The other main property collections on the Health object are the ComputerCSEsProcessed and UserCSEsProcessed. These objects are a bit more complicated because they actually contain a collection of collections. Namely, these properties list each Client Side Extension that ran for the computer or user, and then within each of those, it lists the GPOs that were called by that CSE. Each of those GPO objects contains properties that include the GPO name, the last time the CSE ran for that GPO and where the GPO was linked.

So, let’s say we want to find out all the GPOs that processed security policy for the computer. That can be done in a single PowerShell command by using the following syntax:

Get-SDMGPHealth -ComputerName sdm2 | select -expand ComputerCSEsProcessed |
where {$_.ExtensionName -contains "Security"} | select -expand GPObyCSE |fl

When I issue this command, I get the following output:

DisplayName        : Default Domain Policy
GPLink             :
LDAP://DC=cpandl,DC=com
LastProcessingTime : 1/9/2009 2:31:00 PM
CseStatus          : The operation completed successfully

DisplayName        : Default Domain Controllers Policy
GPLink             :
LDAP://OU=Domain Controllers,DC=cpandl,DC=com
LastProcessingTime : 1/9/2009 2:31:00 PM
CseStatus          : The operation completed successfully

Which tells me that the Security CSE ran two GPOs and that they both ran successfully at the times given above. If they had not run successfully, the actual error message returned by the CSE would be shown here.

Hope this helps folks get more value out of the cmdlet (and thanks to PowerShell MVP Brandon Shell for helping me work through the syntax!)

Darren

 

Tags
PowerShell, Group Policy, Group Policy Health, SDM Software