Script needed to disable GPO Link with Powershell

Martin Kühn
Martin Kühn used Ask the Experts™
on
I need a solution to disable gpo links with powershell (not remove). It is easy done with the new module grouppolicy on 2008R2 or Windows 7, but I need it done on 2003 or 2008 DCs.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
You'll need to download Powershell 2 on your 2003 and 2008 DCs to get access to that module. The download is here: http://support.microsoft.com/kb/968929 Scroll down about halfway and the download links are there.
Martin KühnSystem Administrator

Author

Commented:
No, I have Powershell 2 on my servers. The modules are not in place. You only have access to them if you have a windows 7 or 2008R2 machine in your domain.
eg. -module activedirectory (which is more complicated to use)
-module grouppolicy
I am looking for something to work without these modules. I am able to get a listing of all my gpos (by declaring a comobject) but I was not able until now to disable the gpolink.
Chris DentPowerShell Developer
Top Expert 2010

Commented:
You might give the GPMC CmdLets from here a go:

http://www.sdmsoftware.com/freeware.php

HTH

Chris
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Martin KühnSystem Administrator

Author

Commented:
I have tried these today. I could not find something like set-. You can Add or Delete or Get, but you cannot change settings. (unfortunately).
What I like to do is disable existing links, rename the GPOs and put in a new set. (which is no problem).
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Perhaps run a Get CmdLet and pipe it into Get-Member? It may have a method on the object returned that will let you change things?

As far as I know it wraps around the COMObject interface. Unfortunately I can't use it, for the opposite reason from you, I only have Windows 7 / Server 2008 R2 to play with.

Chris
Martin KühnSystem Administrator

Author

Commented:
I tried this already today with no answer. If you are running 2008r2 and windows 7 it is easy.
Just import-module activedirectory and grouppoicy and you have everything you ever wanted. With 2 lines I was able to deactivate all the old links and rename the old gpos.
I know the GPMC interface, should be http://msdn.microsoft.com/en-us/library/aa814204(v=VS.85).aspx
but I cannot figure out a way to address it.
Is changing the security on powershell out of the question? You could use CACLS to add local admins and remove everyone else but system.
Martin KühnSystem Administrator

Author

Commented:
No it is not a question of security. What I am trying to do is the following:
Sometimes we give updates for our software to customers. This software depends a lot on grouppolocy. So we have to update the GPOs as well. But sometimes there are installations where we changed our standards to the custiomers needs. When we do an update, we want to disable the old policies, but leave them in place with filtering and everything and rename them. Afterwards we put in the new ones and if anything is wrong, we can easily change back to the old ones.
As I said, with 2008R2 I or windows 7 (RSAT tools) I can do this with 2 lines of code, but I cannot rely on everybody is having these in his domain.
System Administrator
Commented:
Ok, we found the answer ourselves. I ask one of our programmers who knows a little bit about COM objects and we found the correct syntax.
Thanks for your efforts!
I found a script on a blog side to list all OUs with theiir link state. This one is not ready yet, but I tried to take this as a starter:


$domain = $env:userDNSdomain
$gpm=New-Object -ComObject gpmgmt.gpm
$constants = $gpm.GetConstants()
$gpmDomain = $gpm.GetDomain($domain,$null
,$constants.useanydc)
$gpmSearchCriteria = $gpm.CreateSearchCriteria()
$gpoList= $gpmDomain.SearchGPOs($gpmSearchCriteria)
 
$unlinkedGPO = 0
 
foreach
($objGPO in
$gpoList)
{
$gpmSearchCriteria = $gpm.CreateSearchCriteria()
$gpmSearchCriteria.add($constants.SearchPropertySomLinks, $constants.SearchOpContains, $objGPO)
$somList = $gpmDomain.SearchSoms($gpmSearchCriteria)
"$($objGPO.id) `t $($objGPO.displayname)"

 
If ($somlist.count -ne 0)
{
foreach
($som in
$somList)
{
$links=$som.GetGPOLinks()
 
foreach
($link in
$links)
{
If ($link.gpoid -eq ($objGPO.id)){
If ($link.enabled){
$link.enabled = $false "this is the trick
write-host "Linked and Enabled to:"
,$som.name}
else
{
write-host "Linked but Not Enabled to:"
,$som.name}
}
}
}
}
Else
{
write-host "Not Linked"
}
}

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial