如何解决循环错误以从OU获取GPO

Question

I created a PS script to find GPOs linked in an OU and subOUs, what am I doing wrong? I get this error and am confused about the message:

Get-ADOrganizationalUnit : Cannot bind parameter 'Identity'. Cannot convert the "@{DistinguishedName=OU=Windows 7,DC=domain,DC=com}" value of type "Selected.Microsoft.ActiveDirectory.Management.ADOrganizationalUnit" to type "Microsoft.ActiveDirectory.Management.ADOrganization alUnit". At F:\\Untitled4.ps1:11 char:39 + $LinkedGPOs = Get-ADOrganizationalUnit <<<< $OU | select-object -ExpandProperty LinkedGroupPolicyObjects + CategoryInfo : InvalidArgument: (:) [Get-ADOrganizationalUnit], ParameterBindingException + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveDirectory.Management.Commands.GetADOrganizationalUnit

get-module activedirectory,grouppolicy

$exportFilePath = "c:\temp\AllGPOsWin7-report date $(get-date -f dd-MM-yyyy).csv"
$OU = "ou=Windows 7,dc=domain,dc=com"

$AllSubOU = Get-ADOrganizationalUnit -SearchBase $OU -SearchScope Subtree -Filter * | 
     Select-Object DistinguishedName

foreach ($OU in $AllSubOU){
$OU
$LinkedGPOs = Get-ADOrganizationalUnit $OU | select-object -ExpandProperty LinkedGroupPolicyObjects

$LinkedGPOGUID = $LinkedGPOs | foreach-object{$_.substring(4,36)}

$GPOName = $LinkedGPOGUID | foreach-object{get-gpo -guid $_ | select-object displayname}

$OU,$ListGPO -join "," | Out-File -FilePath $exportFilePath -Append -Width 200

Answer 1

The issue is with your

$AllSubOU = Get-ADOrganizationalUnit -SearchBase $OU -SearchScope Subtree -Filter * | 
 Select-Object DistinguishedName

command, this should be change to

$AllSubOU = Get-ADOrganizationalUnit -SearchBase $OU -SearchScope Subtree -Filter * | 
 Select-Object -ExpandProperty DistinguishedName

Since you didn't specify the expand part, PowerShell was returning it inside a container. Hence the OU being in curly brackets {} in the error code

UPDATE - Following from the comments on this answer, please see below:

#create a new hashtable
$hashTable = [hashtable]::new{}

#define the root OU
$rootOU = "OU=computers,DC=domain,DC=local"

#get all the sub OU in the root OU
$allSubOU = Get-ADOrganizationalUnit -SearchBase $rootOU -SearchScope Subtree -Filter * | Select-Object -ExpandProperty DistinguishedName

#loop through the sub OUs
foreach ($subOU in $allSubOU){

    #get the linked GPO objects on the OU
    $linkedGPO = Get-ADOrganizationalUnit $subOU | Select-Object -ExpandProperty LinkedGroupPolicyObjects

    #if the OU has a GPO then run through them
    if ($linkedGPO){

        #adding name to hashtable for current OU
        $hashTable.Add($subOU, @())

        #running through each GPO in sub OU
        foreach($GPO in $linkedGPO){

            #getting GUID from GPO
            $GPOGuid = $GPO.SubString(4,36)

            #using GUID to get displayname of GPO
            $GPOName = Get-GPO -Guid $GPOGuid | Select-Object -ExpandProperty DisplayName

            #add the GPO to the hashttable for the current OU
            $hashTable.$subOU += $GPOName
        }
    }else{
        #ou has no GPOs
        $hashTable.Add($subOU, "No GPO")
    }
}

#enumerate through the hashtable
$hashTable.GetEnumerator() | 
    #add OU to OU column in csv
    Select-Object -Property @{N='OU';E={$_.Name}},
    #add GPO to GPO(s) column in CSV
    @{N='GPO(s)';E={$_.Value}   } | 
    #export to CSV
    Export-Csv -NoTypeInformation -Path PATH

Answer 2

Note that $ListGPO does not exist, and you have to expand the GPOs in case more than one is linked. Moreover, Get-ADOrganizationalUnit has to extract the property LinkedGroupPolicyObjects to use it (use -Properties LinkedGroupPolicyObjects ) I changed separator in -join from "," to "|" because Distinguishednames have commas inside. Also, -width 200 would cut off GPO when that limit is reached. Would be better to build a custom object and use Export-Csv probably.

Find below a tentative script .

get-module activedirectory,grouppolicy
$exportFilePath = "c:\temp\AllGPOsWin7-report date $(get-date -f dd-MM-yyyy).csv"
$myOU = "ou=Windows 7,dc=domain,dc=com"

$AllSubOU = (Get-ADOrganizationalUnit -SearchBase $OU -SearchScope Subtree -Filter *).DistinguishedName

foreach ($myOU in $AllSubOU){
    $myOU
    $LinkedGPOs = ( Get-ADOrganizationalUnit $myOU -properties LinkedGroupPolicyObjects).LinkedGroupPolicyObjects
    $LinkedGPOGUID = $LinkedGPOs | foreach-object{$_.substring(4,36)}
    $GPOName = ( $LinkedGPOGUID | foreach-object { (get-gpo -guid $_) | select-object -expandproperty displayname}) -join "|"
    $out = if ( $GPOname ) { $myOU,$GPOName -join "|"} else { $myOU } 
    $out | Out-File -FilePath $exportFilePath -Append -Width 200
}