In GPO terms, domains, OUs, and sites are called Scopes of Management (SOMs).
SOM container object, such as OU has an attribute called gPLink that lists all of the GPOs applied to the object.
This attribute contains a list of GPO distinguished names and a Boolean to indicate whether the GPO DN is enforced. It looks like this :
[<GPO DN_1>;<GPLinkOptions_1>][<GPO DN_2>;<GPLinkOptions_2>]... [<GPODN_n>;<GPLinkOptions_n>]
Ex:
[LDAP://cn={8BE35F55-E3DF-4D1C-8C3A-39F81F451D86},cn=policies,cn=system,DC=ad,DC=foo,DC=local;2]
[LDAP://cn={946584E4-F1CD-458E-8366-8A549FF2E4B2},cn=policies,cn=system,DC=ad,DC=foo,DC=local;0]
[LDAP://cn={92845926-AE1B-49C4-A33A-92441D29DDB7},cn=policies,cn=system,DC=ad,DC=foo,DC=local;1]
GPLinkOptions meaning:
0: The GPO Link is not ignored and is not an enforced GPO. This is the default value
1: The GPO Link MUST be ignored.
2: The GPO Link is an enforced GPO.
The order in which GPO paths appear in this attribute specifies the link order for the associated GPOs. In the GPMC console, you will see :
GPO DN_n
..
GPO DN_2
GPO DN_1
The “GPO DN_n” will have precedence over “GPO DN_n-1” .. “GPO DN_2”, “GPO DN_1”
GetGPO("LDAP://OU=sales,OU=people,DC=ad,DC=foo,DC=local")
Function GetGPO (objldap)
Set objContainer = GetObject (objldap)
strGpLink = objContainer.Get("gPLink")
If Len(strGpLink) > 0 Then
arrGpLinkItems = Split(strGpLink,"]")
For each el in arrGpLinkItems
WScript.Echo Mid(el,2, Len(el)-3)
Set objgpo = GetObject (Mid(el,2, Len(el)-3))
WScript.Echo objgpo.DisplayName
Next
End If
End Function
Speak Your Mind