Microsoft KB Archive/248392

From BetaArchive Wiki

Article ID: 248392

Article Last Modified on 2/28/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server

This article was previously published under Q248392


Administrators may need a way of automating the modification of the Group Policy objects (GPOs) that apply to a given site, domain, or organizational unit. This article contains a sample Visual Basic script that, when run on a computer that is a member of a domain, displays the list of available GPOs and allows the user to manually add a GPO link. You should consider the sample script in this article only a guide as to what can be accomplished. You should modify it to meet your specific needs.

Portions of this script rely on IADsTools, a Component Object Model (COM) object that can be used for many functions, including the one described in this article to enumerate GPOs. IADsTools is included with the Windows 2000 Support tools, which are located in the Support\Tools folder on the Microsoft Windows 2000 Professional or Server CD-ROMs. Detailed information about the function parameters for IADsTools is located in the Windows 2000 Support Tools documentation.


Warning A malformed Group Policy Link (GPLink) attribute can cause problems. For additional information about a related issue, click the following article number to view the article in the Microsoft Knowledge Base:

870997 Windows XP and Windows 2000 clients that share a single organizational unit stop responding or spontaneously restart

To use this script, follow these steps.

  1. Copy the text listed later in this article and paste it into Notepad.
  2. Replace "ServerName" with the name of the computer holding the primary domain controller (PDC) Flexible Single Master Operations (FSMO) role for the domain. Replace "DC=MyDomain,DC=Com" with the distinguished name (DN) of your domain in the "SET SDOU=GetObject("LDAP://ServerName/DC=MyDomain,DC=Com")" line.
  3. Replace "" and "ServerName" with the fully qualified domain name (FQDN) of the domain and the name of the server in the "Result=DLL.GetGPOs("","ServerName")" line.
  4. Search for the "DLL.GetDefaultNamingContext("ServerName")" string and replace "ServerName" with the name of the server used in the previous two steps.
  5. Save the file as Gpollink.vbs.
  6. At a command prompt, type cscript gpollink.vbs.

The script first enumerates the GPOs in the domain and displays those as output in the command prompt window. It then displays the site, domain, or organizational unit that is the target of the operation (that is, which Active Directory container will be modified to contain a new Group Policy link). The information in this sample script is static. A dialog box then prompts the user for the friendly name of the GPO to add a link for. If it is successful, the following message is displayed in the command prompt window:

Successfully added a link to this SDOU for the GPO (Policy Name)


  • This script always adds the new GPO to the top of the priority list.
  • If the same friendly name is repeated across multiple GPOs, only the first in the list of enumerated GPOs is used.

Sample Script

'Purpose:  adds a Group Policy link to an existing Site, Domain, or OU 
'Syntax:  (from a command prompt) CSCRIPT GPOLLINK.VBS

'NOTE:  if you modify this script and pass variables to the IADSTOOLS functions, these variables
'must be typed when you pass them in.  Please see "Programs -> Windows 2000 Support Tools -> Tools Help"
'for more information

'in case the gpLink attribute isn't populated, continue anyway
On Error Resume Next

'the IADSTOOLS com object that ships with the Support Tools has many
'functions that make it easier to retrieve data stored in the DS

'instance the object
Set DLL=CreateObject("iadstools.dcfunctions")

'bind to the Site, Domain, or OU (SDOU) that you want to manage the links on
'specify the PDC name when doing this
Set SDOU=GetObject("LDAP://ServerName/dc=MyDomain,dc=com")

'call the IADSTOOLS function to enumerate the Group Policy Objects (GPOs)

'if a positive number of GPOs is returned, then list them
if result > 0 then
    'we found gpos in the list
    for i=1 to result
        'print them out to the display
        wscript.echo DLL.gponame(i)
        wscript.echo "     " & dll.gpoguid(i)
    'we didn't find any - none to display
    wscript.echo "No GPOs were found."
end if

'again, if a positive number of GPOs is returned, than we can
'offer the user the option of linking a GPO to the selected SDOU
if Result > 0 then
    'display the SDOU we will be modifying just in case it is incorrect before they
    'make any modification
    wscript.echo ""
    wscript.echo "The SDOU you will be modifying is:"
    wscript.echo "     " & SDOU.adspath

    'ask the user for the textual name of the existing GPO to add
    askGUID=inputbox("Enter the name of the GPO to add (case is not important):")

    'if they hit cancel or entered nothing, exit
    if askGUID="" then
        'do nothing
        'cycle through the GPOs we got back from IADSTOOLS and find the GPO the user
        for i=1 to result
            'we drop both items being compared to lower case to rule out case
            if lcase(DLL.gponame(i))=lcase(askGUID) then
                'we found a match.  Determine the links that already exist, if any

                'construct a new link to add to the existing links
                currentGPLIST=currentGPLIST & "[LDAP://CN=" & DLL.gpoguid(i) & ",CN=Policies,CN=System," & DLL.getdefaultnamingcontext("ServerName") & ";0]"

                'write the new list back to the gpLink attribute on the SDOU
                SDOU.put "gpLink",currentGPLIST

                'commit the change

                'tell the user we completed successfully
                wscript.echo ""
                wscript.echo "Successfully added a link to this SDOU for the GPO (" & DLL.gponame(i) & ")"

                'only process the first one we come to that has the correct name
                Exit For
            end if
    end if
end if


For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

870997 Windows XP and Windows 2000 clients that share a single organizational unit stop responding or spontaneously restart

Keywords: kbenv kbinfo KB248392