Windows Performance Analyzer (WPA) has opened my eyes to a lot of things in the past week! For one, 30 seconds of our 40 second login was being eaten by GPClient. I noticed that we had a lot of GPOs linked to high level OUs even though only a few machines actually needed the policy.
The picture above shows an example. So how can I automatically find out what computers need which policy and then relink the GPO closer? Let’s script it!
Fire up PowerShell ISE and paste this script:
$Group = Read-Host "What is the group name?" $GPO = Read-Host "What is the GPO name?" $Scope = Read-Host "Computer or User policy?" $GroupMembers = Get-QADGroupMember "$Group" -Indirect -SizeLimit 0 | where type -eq $Scope if ($scope -eq "Computer") { foreach ($GroupMember in $GroupMembers) { $OU = Get-QADComputer $GroupMember New-GPLink -Name "$GPO" -Target $OU.ParentContainerDN -link Yes } } if ($scope -eq "User") { foreach ($GroupMember in $GroupMembers) { $OU = Get-QADUser $GroupMember New-GPLink -Name "$GPO" -Target $OU.ParentContainerDN -link Yes } }
A few things about this script. First, it isn’t very pretty! If you improve on it, let me know and I will update this page (and give you credit)! Second, this script looks at the OU membership of each computer specified in the $Group variable. It will then link the GPO (specified at $GPO) to each unique OU found. It is assumed that the security group you input is specified in the security scope of the GPO. Finally, this script will not unlink any existing links that you have.
As with most cases, GPClient really wasn’t at fault. Over time, we became lazy and linked GPOs at a higher level that what was needed.
Getting same errror as above “The term ‘Get-QADGroupMember’ is not recognized as the name of a cmdlet,”
Is this due to it not being an active directory powershell box? And how does one install such?
PS C:\Users\support> $psversiontable
Name Value
—- —–
PSVersion 5.1.17763.1007
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
BuildVersion 10.0.17763.1007
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
How should this script be rewritten to NOT use Quest AD cmdlets?? What are the equivalent MS PowerShell commands??
If you can’t run the commands, you didn’t load the appropriate module for powershell.
You should execute this from the active directory powershell box and not just a powershell box.
You could also do a get-module and import-module to import the apprioate modules which contains the the commandlets.
Furthermore, the script looks great, no comments on it.
I believe in simplicity and your script does the job.
Thank you andre!
I’m having the same problem as Anne above. My version of PowerShell ISE is 4.0
Any ideas? Thanks,
Teresa
First, do you have the quest cmdlets installed on your machine? Can you type get-qaduser in PowerShell and receive a prompt for a user?
Do you have the GPMC installed on your machine?
Getting errors as well:
The term ‘Get-QADGroupMember’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verif
y that the path is correct and try again.
At line:5 char:35
+ $GroupMembers = Get-QADGroupMember <<<< "$Group" -Indirect -SizeLimit 0 | where type -eq $Scope
+ CategoryInfo : ObjectNotFound: (Get-QADGroupMember:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
The term 'Get-QADComputer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify t
hat the path is correct and try again.
At line:9 char:22
+ $OU = Get-QADComputer <<<< $GroupMember
+ CategoryInfo : ObjectNotFound: (Get-QADComputer:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
The term 'New-GPLink' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that t
he path is correct and try again.
At line:10 char:11
+ New-GPLink <<<< -Name "$GPO" -Target $OU.ParentContainerDN -link Yes
+ CategoryInfo : ObjectNotFound: (New-GPLink:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
What version of powershell are you using? You can run $psversiontable to see the version.
Get nothing but errors running this script. What did I miss???
At line:8 char:25
+ 8.foreach ($GroupMember in $GroupMembers) {
+ ~~
Unexpected token ‘in’ in expression or statement.
At line:8 char:24
+ 8.foreach ($GroupMember in $GroupMembers) {
+ ~
Missing closing ‘)’ in expression.
At line:7 char:30
+ 7.if ($scope -eq “Computer”) {
+ ~
Missing closing ‘}’ in statement block.
At line:8 char:41
+ 8.foreach ($GroupMember in $GroupMembers) {
+ ~
Unexpected token ‘)’ in expression or statement.
At line:13 char:4
+ 13.}
+ ~
Unexpected token ‘}’ in expression or statement.
At line:16 char:26
+ 16.foreach ($GroupMember in $GroupMembers) {
+ ~~
Unexpected token ‘in’ in expression or statement.
At line:16 char:25
+ 16.foreach ($GroupMember in $GroupMembers) {
+ ~
Missing closing ‘)’ in expression.
At line:15 char:27
+ 15.if ($scope -eq “User”) {
+ ~
Missing closing ‘}’ in statement block.
At line:16 char:42
+ 16.foreach ($GroupMember in $GroupMembers) {
+ ~
Unexpected token ‘)’ in expression or statement.
At line:21 char:4
+ 21.}
+ ~
Unexpected token ‘}’ in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
What version of powershell are you running?