GPO

PowerShell: Mapping GPOs to their Linked Organizational Units

Posted on Updated on

As an Active Directory environment grows, keeping track of where specific Group Policy Objects (GPOs) are linked becomes a significant challenge. The “Group Policy Management Console” (GPMC) is great for looking at one GPO at a time, but if you need a bird’s-eye view of your entire inheritance structure, you need automation.

This PowerShell script sweeps through all Organizational Units (OUs), identifies the unique GUIDs of linked policies, resolves those GUIDs into human-readable GPO names, and exports the mapping to a CSV file.

The PowerShell Script

Before running, create a folder at C:\temp\GroupPolicyandLinkedOU\. This script requires the Active Directory and Group Policy modules (included with RSAT).

PowerShell
# Initialize the output file with headers
$Header = "GPO_Name;OU_Name;OU_DistinguishedName"
$Path = "C:\temp\GroupPolicyandLinkedOU\out.csv"
if (!(Test-Path "C:\temp\GroupPolicyandLinkedOU\")) { New-Item -ItemType Directory -Path "C:\temp\GroupPolicyandLinkedOU\" }
$Header | Out-File $Path
# Get all OUs with their linked GPO attributes
$policies = Get-ADOrganizationalUnit -Filter * -Properties LinkedGroupPolicyObjects
$policies | ForEach-Object { 
    $OUName = $_.Name
    $OUDN = $_.DistinguishedName
    $LinkedGPOs = $_.LinkedGroupPolicyObjects
    
    foreach($LinkedGPO in $LinkedGPOs) {
        # Extract the GUID from the DistinguishedName string
        # String format is usually: cn={GUID},cn=policies,cn=system,DC=domain...
        $GUID = $LinkedGPO.Split(",")[0].Replace("cn={","").Replace("}","").Replace("CN={","")
        
        try {
            # Resolve the GUID to a friendly Display Name
            $GPO = Get-GPO -Guid $GUID
            $msg = "$($GPO.DisplayName);$OUName;$OUDN"
            
            # Output to console and file
            Write-Host "Mapped: $($GPO.DisplayName) -> $OUName" -ForegroundColor Cyan
            $msg | Out-File $Path -Append
        }
        catch {
            Write-Warning "Could not resolve GPO GUID: $GUID linked at $OUName"
        }
    }
}

How it Works

  • LinkedGroupPolicyObjects Property: The script looks at the raw attribute on the OU object. In Active Directory, links aren’t stored as names; they are stored as the DistinguishedName of the GPO container, which includes the GUID.
  • String Manipulation: The script uses .Split and .Replace to strip away the LDAP syntax, leaving only the raw GUID string.
  • Get-GPO -Guid: This cmdlet takes that raw ID and queries the domain for the actual GPO metadata, allowing us to retrieve the DisplayName.
  • Semicolon Delimited: The output uses ; as a delimiter. When opening the file in Excel, you can easily use “Text to Columns” to separate the data into clean fields.

Why Use This Script?

  1. Inheritance Audits: Quickly see if a legacy GPO is linked to an OU it shouldn’t be.
  2. Troubleshooting: If a user is getting a strange setting, you can search the CSV for their OU and see every policy applied.
  3. Clean-up: Identify “ghost” links—SIDs/GUIDs that remain linked to an OU even though the GPO itself has been deleted.

#PowerShell #ActiveDirectory #GroupPolicy #SysAdmin #WindowsServer #ITAutomation #LazyAdmin #TechTips #ITPro #Infrastructure

This entry was posted in Active Directory, Scripts, Windows and tagged , , , , , , , , , .

Stop Brute Force Cold: How to Rename the Local Administrator via GPO | Lazy Admin Blog

Posted on Updated on

The “Administrator” account is a universal target. Because every Windows machine has one by default, hackers already have 50% of the login equation—the username. By renaming this built-in account across your entire Active Directory domain, you significantly lower the risk of automated brute-force attacks.

Best of all? You don’t have to touch a single workstation. We can do this globally using Group Policy Preferences (GPP).

Step 1: Create or Edit your GPO

  1. Open the Group Policy Management console (gpmc.msc).
  2. Create a new GPO (e.g., “Security – Rename Local Admin”) or edit an existing one linked to your target Workstations or Servers OU.
  3. Right-click the GPO and select Edit.

Step 2: Configure the Local User Preference

Navigate to the following path within the editor: Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups

  1. Right-click Local Users and Groups and select New > Local User.
  2. Configure the following settings in the dialog box:
    • Action: Select Update.
    • User name: Select Administrator (built-in) from the dropdown. (Using the built-in identifier ensures the rename works even if the account was previously renamed).
    • Rename to: Enter your new, non-obvious username (e.g., SrvManager_Admin).
    • Full name: Enter a descriptive name.
    • Password: You can optionally reset the password here, though using LAPS (Local Administrator Password Solution) is recommended for password management.

Step 3: Deployment & Verification

By default, Group Policy refreshes every 90 minutes. If you want to see the change immediately on a specific client, run the following command in an elevated prompt:

DOS

gpupdate /force

Is it working?

If the name hasn’t changed, use the GPResult tool to see if the policy is being applied to the computer object:

DOS

gpresult /r

Troubleshooting Tips:

  • OU Check: Ensure the Computer object is actually inside the OU where the GPO is linked.
  • Security Filtering: Verify that Authenticated Users or Domain Computers have “Read” and “Apply Group Policy” permissions in the GPO’s Delegation tab.
  • Replication: If some sites see the change and others don’t, check your Domain Controller replication status.

Why this is a “Lazy Admin” Win

Instead of using scripts or manual intervention, GPO Preferences handle the logic for you. If you ever need to change the name again, you update one field in the GPO, and the entire domain follows suit.

This entry was posted in Active Directory, Windows and tagged , , , , , , , , , .