Geeks With Blogs
derekf's blog On C#, repackaging applications, and deploying via group policy...
I was asked earlier today to come up with a list of what GPOs applied to a given box.  Simple enough given the code from one of the previous posts to ask AD what GPOs apply to the machine's OU, but I'm not convinced there's more to it than that.
Senior coder had started going through GetGPOList(), FreeGPOList(), and GetAppliedGPOList() but they didn't really play well in C# from an interop standpoint.  I'll likely give them a try at a later time.
Instead, today I went looking through the registry and came across HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPLink-List -- hey look, Windows keeps track of what GPOs apply, and unlike the "Machine OU" option I mentioned above, it also deals with inheritance.
The task seems pretty clear: Go through the subkeys of the GPLink-List key, and translate the DsPath entry from a GUID to a name. 
        private List<string> GetListOfGPOs()
            List<string> GPOList = new List<string>();
            string Keyname = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPLink-List";
            RegistryKey rk = Registry.LocalMachine.OpenSubKey(Keyname);
            string[] keys = rk.GetSubKeyNames();
            foreach(string GPOKey in keys)
                RegistryKey theKey = Registry.LocalMachine.OpenSubKey(Keyname + "\\" + GPOKey);
                string Value = theKey.GetValue("DSPath", "").ToString();
                if (Value.Contains("cn="))
                    GPOList.Add(Value); // Special case: "LocalGPO"
            return GPOList;


 and of course, we need a function to translate the GUID (actually the entire path) to the policy name.  You might want additional info as well, all we were looking for was the name.  Adjust the Properties you're looking for to suit:

           private string TranslateFromGUIDToName(string path)

            using (DirectorySearcher mySearcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + path, null, null, AuthenticationTypes.Secure)))
                mySearcher.ClientTimeout = new TimeSpan(0, 0, 10);
                mySearcher.SearchScope = SearchScope.Subtree;
                    SearchResult result = mySearcher.FindOne();
                    if (result != null)
                        if (result.Properties["displayName"][0] != null)
                            return result.Properties["displayName"][0].ToString();
                catch (Exception ex)
                    return ex.Message;
            return "Not found.";
So there you have it.  Not all that useful -- just giving the names of the policies that applied, but it's a start.
Posted on Friday, January 4, 2008 8:33 AM | Back to top

Comments on this post: What GPOs applied to this machine?

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © derekf | Powered by: