Group Policy

Generate a CSV from your GPO’s per OU

/ / /

If you come into an environment like I have, you’ll find that some companies prefer to break out their AD structure by location and then generate a OU structure that matches it. Physically, this is understandable and you can understand what’s where. Logically, this causes issues because AD utilizes an inheritance model and this gets complicated and very messy very quickly if you do not follow a strict model. This model falls on its face when you have a centralized IT force. As an example, the company I worked for acquired numerous other companies and a each company/location had it’s own IT workforce. Eventually, the company consolidated all of these external IT departments into one. The IT staff then standardized each site for GPO’s. Which made having each one redundant.

This is a mockup of the OU structure:

And the GPO’s applied:

If you look closely, you can see that some sites are missing some GPO’s, some have an extra GPO, and some have the same. The goal I was given is that I need to consolidate the OU’s with the same GPO’s applied and then I can examine the disparate ones individually. In order to make a nice spreadsheet to do this I created this script (run on Windows, I added awk, sed, and grep to the windowssystem32 folder and installed group policy management).

Since the structure has a nice, predictable “end” OU (eg, Laptops, Desktops, Users) I could script for that keyword:

This generates the following file:

Which looks like this when you put it in Excel:

Nice and pretty and if you add conditional formatting on “x” you can easily identify which OU’s are the same and can be consolidated, or just a nice report on which GPO’s are affecting which OU’s.

Read More

Find all OU’s and what GPO’s are linked to them

/ / /

I made a script using SED and ADFIND to find all OU’s and what GPO’s were linked to them:

Love it 🙂

To expand on the above, here is a batch file that will find all empty OU’s and what GPO’s are linked to them:


Read More

AD Script to Link GPO’s via the command line

/ / /

I’ve modified a script I found online to allow standard batch file passthrough for linking a GPO to a OU.

Usage: cscript.exe linkGPO.vbs “Test GPO” “” “OU=AD Project,DC=lab,DC=com”


Read More

Configure Local Group Policy via the command line

/ / /

Apply a security policy using an .inf file

[Profile Description] Description=profile description
[System Access] MinimumPasswordAge = 10
MaximumPasswordAge = 30
MinimumPasswordLength = 6
RequireLogonToChangePassword = 0
NewAdministratorName = “NewAdminAccountName”
NewGuestName = “NewGuestAccountName”

Simple to apply from a cmd line


Read More