How to retrieve currently applied GPOs on your local machine using WMI via Windows Scripting Host ( WSH )

 

WMI provides two very useful Resultant Set of Policy (RSOP) classes that can be used together to determine the current set of GPOs that are applied to the local machine.

 

The RSOP_GPO class provides information about GPOs that could be applied to your machine.    Instances of this class are divided into three categories:

 

  1. Instances that represent applied GPOs
  2. Instances that represent GPOs that have read-access but not applyGroupPolicy access
  3. Instances that represent disabled GPOs.

 

The following MSDN link provides more information about the RSOP_GPO class:

 

msdn.microsoft.com/en-us/library/aa374918(VS.85).aspx.

 

The RSOP_GPLink WMI class represents the links from a site, domain, organizational unit, or local scope, to one or more GPOs. All the links from the current scope of management (SOM), including those that have been disabled.   The RSOP_GPLINK class is documented at the following MSDN link:

 

msdn.microsoft.com/en-us/library/aa374916(VS.85).aspx

 

Notice the “appliedOrder” property.  This property will contain either and integer value that represents the order in which the GPO was applied or the value of 0 which indicates that the GPO was either not linked or not applied.

 

Using these two classes together, one can determine the actual list of GPOs that are applied to the local machine.  The process is very straight forward:

 

  1. Perform a WMI query on the RSOP namespace to return only those RSOP_GPLINK objects that have an “appliedOrder” value that is non 0.
  2. Build a dictionary from the results of the query, building the key name for the GPO.
  3. Walk the dictionary, querying the namespace for the matching RSOP_GPO class objects.

 

The following Visual Basic Script (VBS) illustrates how to implement the 3 steps listed above:

     strComputer = "."
    
    ' Step1: Execute the WMI query to retrieve the matching RSOP_GPLink objects:
    ' and create the dictionary.
    ' 
    
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\rsop\computer")
    Set colItems = objWMIService.ExecQuery("Select GPO From RSOP_GPLink Where AppliedOrder <> 0")
    Set dict = CreateObject("Scripting.Dictionary")


    '
    ' Step 2: Load the dictionary with the query results.
    ' 

    For Each objItem in colItems  
            dict.Add Replace(objItem.GPO, "RSOP_GPO.", ""), Replace(objItem.GPO, "RSOP_GPO.", "")
    Next
 

    '
    ' Step 3: Walk the dictionary, and query the repository for the RSOP_GPO objects that have been 
    'applied to the local machine and display its properties.
    '

    For Each vItem In dict.Items
            Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO where " & vItem)
            For Each objItem in colItems  
                        Wscript.Echo "Name: " & objItem.Name
                        Wscript.Echo "GUID Name: " & objItem.GUIDName
                        Wscript.Echo "ID: " & objItem.ID
                        Wscript.Echo "Access Denied: " & objItem.AccessDenied
                        Wscript.Echo "Enabled: " & objItem.Enabled
                        Wscript.Echo "File System path: " & objItem.FileSystemPath
                        Wscript.Echo "Filter Allowed: " & objItem.FilterAllowed
                        Wscript.Echo "Filter ID: " & objItem.FilterId
                        Wscript.Echo "Version: " & objItem.Version
                        Wscript.Echo ""
                        Wscript.Echo "====="
            Next      
    Next

Comments

  • Anonymous
    July 30, 2014
    so.. you may want to read what you post. your script is cutoff and you cannot scroll sideways.

  • Anonymous
    February 22, 2016

    CAVEAT: Get-WmiObject is PS3

    [System.Array]$RSOP_GPLinks = Get-WmiObject -ComputerName $envComputerName -Class RSOP_GPLink -Namespace rootrsopcomputer -Filter "AppliedOrder <> 0" #Doing this instead of dictionary or Hash table $RSOP_GPLinks = $RSOP_GPLinks | Sort-Object -Property appliedOrder | Select-Object -Property GPO,appliedOrder,linkOrder ForEach ($RSOP_GPLink in $RSOP_GPLinks) { [String]$WMIPath = $($RSOP_GPLink.GPO).replace("RSOP_GPO.", "") [System.Array]$RSOP_GPOItems = Get-WmiObject -ComputerName $envComputerName -Class RSOP_GPO -Namespace rootrsopcomputer -Filter $WMIPath        Write-host  "Name: $($RSOP_GPOItems.Name)"        Write-host  "GUID Name: $($RSOP_GPOItems.GUIDName)"        Write-host  "ID: $($RSOP_GPOItems.ID)" Write-host  "appliedOrder: $($RSOP_GPLink.appliedOrder)" #taken from RSOP_GPLink Class        Write-host  "Access Denied: $($RSOP_GPOItems.AccessDenied)"        Write-host  "Enabled: $($RSOP_GPOItems.Enabled)"        Write-host  "File System path: $($RSOP_GPOItems.FileSystemPath)"        Write-host  "Filter Allowed: $($RSOP_GPOItems.FilterAllowed)"        Write-host  "Filter ID: $($RSOP_GPOItems.FilterId)"        Write-host  "Version: $($RSOP_GPOItems.Version)"        Write-host  ""        Write-host  "=====" }