How to Find (and Remove) Unlinked GPOS in Active Directory

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

GPOS are computer-based systems that can be used to execute tasks, such as running software. Each GPOS has a name (e.g., Active Directory) and an associated GUID (Globally Unique IDentifier).
Connecting the dots: Connecting the dots is critical for success with any new project or initiative in your company. There’s no need to reinvent the wheel at each step of your journey; though it may seem like you’re just copying ideas from other companies, remember that they have already solved some of these problems before you even start! It pays to study what others have done so far by looking up their reference points on Google and reviewing case studies online – especially if you’re interested in finding out about how some startups took their idea from concept into reality!
What does this mean? Just take a look below for a list of ways experienced professionals identify unlinked GPOSs in AD via PowerShell commands:
1.) Search for previous versions under “History” tab 2.) Identify differences between two different versions 3.) Compare current version against last 4.) Use “Find Differences Between Two Versions” command 5.’ Review discrepancies

The “find orphaned gpo powershell” is a command-line tool that can be used to find unlinked GPOs in Active Directory.

How to Find (and Remove) Unlinked GPOS in Active Directory

The Active Directory (AD) environment and Group Policy (GP) architecture evolve as a company expands. GPOs (Group Policy Objects) may quickly grow out of control, and before you realize it, your environment is cluttered with hundreds of unlinked GPOs. Let’s make a difference.

In this article, you’ll learn how to use the Group Policy Management Console (GPMC) and PowerShell to find all of those unlinked GPOs.

Let’s get this party started!

Prerequisites

This post will be a step-by-step guide with examples. If you want to follow along, make sure you have the following items:

Where do GPOs that aren’t connected originate from?

When you establish a GPO and specify all of the settings you want to apply to client machines, that GPO does nothing. The GPO must be connected to an AD organizational unit in order to effect client machines (OU).

What is a Group Policy, and How Does It Work? (In Depth)

As more administrators create GPOs, forget to connect them, unlink GPOs from OUs, and mean to delete them but never do, the number of GPOs hanging about doing nothing grows. If not properly managed, unlinked GPOs may quickly grow into the hundreds, especially in big enterprises.

In the GPMC, locating unlinked GPOs

Unlinked GPOs may be found in one of two ways: using the GPMC or through PowerShell. If you just have a few unlinked GPOs, it can be more convenient to utilize the GPMC instead of writing a PowerShell script.

Using the GPMC, discover unlinked GPOs:

1. Go to your start menu and type “group policy management” to launch the GPMC. Open the GPMC software when it appears.

2. In the GPMC, go to Forest: <your forest name —> Domains —> <your domain name>, right-click on the domain name and click Search. This action will bring up the Search for Group Policy Objects dialog box.

In the GPMC console, there is a search feature.In the GPMC console, there is a search feature.

3. Select GPO-links from the Search Item selection menu. This search item will look for GPOs associated with an OU. Change the Exist In dropdown to your domain and the domain dropdown to your domain.

The combination of these settings in the screenshot below will look for all GPOs related to at least one OU in the homelab.local domain.

When you’re finished, click Add to add the criterion to the list. It will appear in the section under “All search criteria.”

Adding search item in "Search for Group Policy Objects" windowIn the “Search for Group Policy Objects” box, add a search item.

4. Now, click the Search button to locate all GPOs that fit the search parameters.

using search option in "Search for Group Policy Objects" windowUsing the “Search for Group Policy Objects” window’s search option

5. Only related GPOs are shown in the search results, as illustrated in the picture below.

Results of a search for GPOs that are associatedResults of a search for GPOs that are associated

6. Now, manually compare all GPOs with the connected GPOs to locate the unlinked GPOs, as shown below. Only three GPOs are connected in the screenshot below. Two of the GPOs are missing when you check under the Group Policy Objects node (UnlinkedGPO1 and UnlinkedGPO2). That is to say, they are unrelated.

This job will take some time, which is why you’ll learn how to do it using PowerShell in the following section.

Using all of the Group Policy Objects to compare search results Using all of the Group Policy Objects to compare search results

When linked GPOs are assigned to an AD entity like an OU, they will have a link, as seen below. If you just have a few GPOs, you may check for the ones that have a connection and the ones that don’t. Unlinked GPOs are GPOs that do not have a link.

GPOs that are related are shown.GPOs that are related are shown.

Using PowerShell to locate unlinked GPOs

If you have hundreds or thousands of GPOs handling thousands of endpoints, scouring through GPOs in the GPMC may work for a few GPOs, but it will be difficult. Then it’s time to automate the process and create a useful PowerShell utility.

Assuming you’re using RSAT on your local domain-joined Windows PC:

1. Open a PowerShell terminal on Windows.

2. Add the GroupPolicy module to your project. RSAT includes the GroupPolicy module, which should already be installed on your system. This module provides all of the PowerShell commands required to operate with GPOs.

GroupPolicy Import-Module

3. Use the All argument to run the Get-GPO PowerShell cmdlet. This cmdlet searches AD for GPOs and returns them all.

The result of the Get-Gpo cmdletThe result of the Get-Gpo cmdlet

4. Now that you have access to all of the domain’s GPOs, you must determine which ones are unlinked. Run the Get-GPOReport cmdlet to do this. You may give this cmdlet a name and a kind of output to return.

-Name Get-GPOReport SomeGPO -XMLReportType

Run this command by manually copying and pasting one of the GPO names from the previous step. You’ll see that the cmdlet provides an XML report with all of the GPOs’ settings. Take note of the section titled LinksTo, which is presented below. The SOMPath XML element in this part represents the route to the OU to which it is tied.

LinksTo section from a sample outputLinksTo section from a sample output

At a moment, the Receive-GPOReport cmdlet can only get a report for a single GPO. Only domain search results are included in this cmdlet, not AD sites.

5. Now that you know how to use Get-GPO to identify all GPOs and Get-GPOReport to figure out what they’re connected to, combine the two by copying and pasting the PowerShell command below into your console.

The command below queries all GPOs in the domain (Get-GPO) and then generates an XML report for each of them (Get-GPOReport), only allowing the ones that don’t have a <LinksTo> string in the report (Select-String) to be returned.

Get-GPO -All | Where-Object { $_ | Get-GPOReport -ReportType XML | Select-String -NotMatch “<LinksTo>” }

UnlinkedGPO1 and UnlinkedGPO2 are not linked to any OU in the tutorial’s environment, as seen in the example below.

1647503262_407_How-to-Find-and-Remove-Unlinked-GPOS-in-Active-DirectoryCreating a list of domain GPOs that aren’t related

Now it’s time to put what you’ve learned together and create a PowerShell script that you can use in real life.

1. Open your preferred code editor and paste the PowerShell script below into it. Remove-UnlinkedGPO.ps1 is the name of the script. This is the script:

  • Creates a folder for unlinked GPO reports with the current date.
  • Finds all unlinked GPOs in Active Directory.
  • For each unlinked GPO, it generates an HTML report and stores it to disk.
  • A list of all unlinked GPOs is created and appended to a text file.
  • Using the Remove-GPO cmdlet, removes each unlinked GPO with a confirmation step.

The Remove-UnlinkedGPO.ps1 script is also available on GitHub.

GroupPolicy Import-Module $Date = Get-Date -Format dd_MM_yyyy $BackupDir = “c:GPOBackup$Date” ## Creates a directory to store the GPO reports if (-Not(Test-Path -Path $BackupDir)) { New-Item -ItemType Directory $BackupDir -Force } # Get all GPOs with the gpo report type as XML and also look for the section in the xml report. # Consider only the GPOs that doesnt have section. Get-GPO -All | Where-Object { $_ | Get-GPOReport -ReportType XML | Select-String -NotMatch “<LinksTo>” } | ForEach-Object { # Backup the GPO, HTML report and saving the GPO details to text file are optional. Backup-GPO -Name $_.DisplayName -Path $BackupDir # Run the report and save as an HTML report to disk Get-GPOReport -Name $_.DisplayName -ReportType Html -Path “$BackupDir$($_.DisplayName).html” # Create and append to a text file called UnlinkedGPOs.txt in the backup folder that # contains each GPO object that Get-GPO returns $_ | Select-Object * | Out-File “$BackupDirUnLinkedGPOs.txt” -Append # Remove the GPO but first prompt before removing $_.Displayname | Remove-GPO -Confirm }

2. Run Remove-UnlinkedGPO.ps1 to remove the unlinked GPO.

How to Run PowerShell Scripts from the Command Line is a related topic.

3. If the script discovers an unlinked GPO, it will urge you to delete it. The Remove-GPO cmdlet with the Confirm switch generates this dialog. Choose Yes to confirm the removal of that particular GPO; alternatively, click Yes to All to delete all unlinked GPOs without requiring any additional confirmation.

Confirmation prompt for GPO deactivation Confirmation prompt for GPO deactivation

After the script is complete and it found at least one unlinked GPO, you should see in the C:GPOBackup<date> folder the GPO contents as a GUID folder along with the HTML reports and the UnlinkedGPOs.txt file.

Backup Folder is being shown.Backup Folder is being shown.

4. Using a web browser, view one of the HTML report from the GPOs. As you can see in the screenshot below, the report includes all of the parameters established in that GPO. The UnlinkedGPO1 GPO in the example below provides settings for the PowerShell execution policy.

HTML report from the GPOHTML report from the GPO

5. Finally, double-click the UnlinkedGPOs.txt file to open it. You’ll see that the result is identical to what you got using the Get-GPO cmdlet.

GPO listing in UnlinkedGPOs.txtGPO listing in UnlinkedGPOs.txt

Conclusion

You should now be able to use the GPMC and PowerShell to locate all of the unlinked GPOs in your AD environment.

Which approach do you favor? Can you think of a way to make the PowerShell script we’ve looked at better?

The “unlink gpo from ou” is a process that allows users to find and remove unlinked GPOs in Active Directory. The process is simple, but it can be time-consuming.

Related Tags

  • get gpo security filtering powershell
  • unlinked gpo still applied
  • get-gporeport
  • how to find gpo in active directory
  • gpo with that name already exists