How to retrieve currently applied GPOs on your local machine using WMI via Windows Scripting Host ( WSH )
WMI provides two very useful Resultant Set of Policy (RSOP) classes that can be used together to determine the current set of GPOs that are applied to the local machine.
The RSOP_GPO class provides information about GPOs that could be applied to your machine. Instances of this class are divided into three categories:
- Instances that represent applied GPOs
- Instances that represent GPOs that have read-access but not applyGroupPolicy access
- Instances that represent disabled GPOs.
The following MSDN link provides more information about the RSOP_GPO class:
msdn.microsoft.com/en-us/library/aa374918(VS.85).aspx.
The RSOP_GPLink WMI class represents the links from a site, domain, organizational unit, or local scope, to one or more GPOs. All the links from the current scope of management (SOM), including those that have been disabled. The RSOP_GPLINK class is documented at the following MSDN link:
msdn.microsoft.com/en-us/library/aa374916(VS.85).aspx
Notice the “appliedOrder” property. This property will contain either and integer value that represents the order in which the GPO was applied or the value of 0 which indicates that the GPO was either not linked or not applied.
Using these two classes together, one can determine the actual list of GPOs that are applied to the local machine. The process is very straight forward:
- Perform a WMI query on the RSOP namespace to return only those RSOP_GPLINK objects that have an “appliedOrder” value that is non 0.
- Build a dictionary from the results of the query, building the key name for the GPO.
- Walk the dictionary, querying the namespace for the matching RSOP_GPO class objects.
The following Visual Basic Script (VBS) illustrates how to implement the 3 steps listed above:
strComputer = "."
' Step1: Execute the WMI query to retrieve the matching RSOP_GPLink objects:
' and create the dictionary.
'
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\rsop\computer")
Set colItems = objWMIService.ExecQuery("Select GPO From RSOP_GPLink Where AppliedOrder <> 0")
Set dict = CreateObject("Scripting.Dictionary")
'
' Step 2: Load the dictionary with the query results.
'
For Each objItem in colItems
dict.Add Replace(objItem.GPO, "RSOP_GPO.", ""), Replace(objItem.GPO, "RSOP_GPO.", "")
Next
'
' Step 3: Walk the dictionary, and query the repository for the RSOP_GPO objects that have been
'applied to the local machine and display its properties.
'
For Each vItem In dict.Items
Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO where " & vItem)
For Each objItem in colItems
Wscript.Echo "Name: " & objItem.Name
Wscript.Echo "GUID Name: " & objItem.GUIDName
Wscript.Echo "ID: " & objItem.ID
Wscript.Echo "Access Denied: " & objItem.AccessDenied
Wscript.Echo "Enabled: " & objItem.Enabled
Wscript.Echo "File System path: " & objItem.FileSystemPath
Wscript.Echo "Filter Allowed: " & objItem.FilterAllowed
Wscript.Echo "Filter ID: " & objItem.FilterId
Wscript.Echo "Version: " & objItem.Version
Wscript.Echo ""
Wscript.Echo "====="
Next
Next
Comments
Anonymous
July 30, 2014
so.. you may want to read what you post. your script is cutoff and you cannot scroll sideways.Anonymous
February 22, 2016CAVEAT: Get-WmiObject is PS3
[System.Array]$RSOP_GPLinks = Get-WmiObject -ComputerName $envComputerName -Class RSOP_GPLink -Namespace rootrsopcomputer -Filter "AppliedOrder <> 0" #Doing this instead of dictionary or Hash table $RSOP_GPLinks = $RSOP_GPLinks | Sort-Object -Property appliedOrder | Select-Object -Property GPO,appliedOrder,linkOrder ForEach ($RSOP_GPLink in $RSOP_GPLinks) { [String]$WMIPath = $($RSOP_GPLink.GPO).replace("RSOP_GPO.", "") [System.Array]$RSOP_GPOItems = Get-WmiObject -ComputerName $envComputerName -Class RSOP_GPO -Namespace rootrsopcomputer -Filter $WMIPath Write-host "Name: $($RSOP_GPOItems.Name)" Write-host "GUID Name: $($RSOP_GPOItems.GUIDName)" Write-host "ID: $($RSOP_GPOItems.ID)" Write-host "appliedOrder: $($RSOP_GPLink.appliedOrder)" #taken from RSOP_GPLink Class Write-host "Access Denied: $($RSOP_GPOItems.AccessDenied)" Write-host "Enabled: $($RSOP_GPOItems.Enabled)" Write-host "File System path: $($RSOP_GPOItems.FileSystemPath)" Write-host "Filter Allowed: $($RSOP_GPOItems.FilterAllowed)" Write-host "Filter ID: $($RSOP_GPOItems.FilterId)" Write-host "Version: $($RSOP_GPOItems.Version)" Write-host "" Write-host "=====" }