How To Find All Objects Impacted By A Group Policy Object (GPO) Using PowerShell

One GPO to rule them, one GPO to find them, One GPO to bring them all and in the darkness bind them… Darkness? Wait a second… Which objects does that apply to? As long as it isn’t mine, we’re good!

GPOs can have a big impact on Active Directory’s users and computers because of they types of policies you can control using Group Policy. Almost anything! So how do you determine which objects will be impacted? Well, you could pull up Group Policy Management, look through the security filtering, and then check all of that GPO’s links for members of those groups. But how do you know which Dave is in Accounting and which one is in HR? You could pull up that user and check their group memberships, but are any of their groups nested? … Well, you get my point.

Dude, chill. PowerShell can do this and you can finish your coffee. In this snip, Anthony will run you through writing a PowerShell function to find all of the objects impacted by a Group Policy Object. We’ll be using a lot of Active Directory cmdlets, but the important ones are: Get-GPO and Get-GPPermission. We’ll also need to enumerate some Active Directory objects using Get-ADOrganizationalUnit, Get-ADDomain, and Get-ADObject. Check out the snip and all will be made clear!

Prerequisites include: Group Policy PowerShell module Active Directory Module

Recommended Snips: