One of the many scenarios that organizations contend with is impact analysis. For SDM Software this is about configuration and most importantly security configuration. For example, what happens if you go into Active Directory Users and Computers and move Server1 from its home in OU1 to a new home in OU5? Do you know? Does it matter? It has consistently come up in our discussions. A couple of years ago Darren Mar-Elia posted a great video discussing how to accomplish this task with the GPO Reporting Pak. Check it out, it will be a well used 3 minutes and 35 seconds of your time.
Using GPO Reporting Pak to analyze GPO differences between OUs
I’m revisiting this topic to modernize it a bit, add some deeper analysis of the steps and demonstrate how you can use PowerShell to do this. My end goal is to build out a PowerShell Advanced Function that you can use interactively to tie together all of the steps and automate the process. This will be a multi-part story so stay tuned. The discussion will be broken down like this;
- Part 1 – Find GPOs Linked to an OU (This post)
- Part 2 – Export-SDMGPSettings, saving output, analyzing results for single OU – Saving GPRP Snapshot
- Part 3 – Compare-SDMGPO – compare two GPRP snapshots
- Finalizing the Advanced Function and Creating Automation
Each part of this discussion will have a Video counter part. You can look at the VLOG playlist on our YouTube Channel to find those videos.
Without further ado… let’s get started!
Part 1 – Find GPOs Linked to an OU
The first task is finding the GPOs that link to a specific OU. This includes the directly linked GPOs as well as those inherited from above. There is a great cmdlet provided as a part of the GroupPolicy PowerShell module called Get-GPInheritance. It returns the data we will need to examine with the Export-SDMGPSettings cmdlet. We will get there in Part II. The challenge in Part I is that each cmdlet requires data presented in a specific way or format. Additionally for the ‘tool’ we plan on building, we want to make it as user friendly as possible. Let’s break this down.
- Get-GPInheritance has a parameter called ‘Target’. This parameter requires a Distinguished Name (i.e. “OU=blah,OU=DeBlah,DC=Baddidty,DC=Blah”). That is a lot to ask of the end user if they are using the tool interactively. We just want the data requested to be as simple as possible. Now for those of you who have been down this path there are some inherent issues here such as 2 OUs with the same name… we are going to punt on such things here and may revisit as an advanced topic later. For our purposes we are going to ask for a ‘FriendlyName’ and go find a ‘DistinguishedName’. (NOTE: ‘FriendlyName’ is not the actual name of a parameter as you will see in the video)
- Get-ADOrganizationalUnit is a cmdlet provided with the ActiveDirectory Module. This cmdlet returns objects that have both a ‘Friendly Name’ and a ‘DistinguishedName’. We can ask Get-ADOrganizationalUnit for a specific OU based on the ‘FriendlyName’ and get the ‘DistinguishedName’ back…
- Now we can use Get-GPInheritance and get the list of GPOs linked to a specific OU… and prepare to send that information to Export-SDMGPSettings in the Part II of this topic.
Check out the video as I walk through this first step in the process.