Group Policy Information Using PowerShell

It’s time to clean our Group Policies a bit, let’s make several reports that will help us:

First we need to load the GroupPolicy module:

Import-Module GroupPolicy

Export GPO’s to one HTML report:

Get-GPOReport -All -ReportType html -Path C:\GPOReports\GposReport.html

Export each GPO to it’s own HTML report:

Get-GPO -All | %{
    Get-GPOReport -name $_.displayname -ReportType html -path ("c:\GPOReports\"+$_.displayname+".html")
}

Let’s find GPO’s with all settings disabled:

$reportFile = "c:\GPOReports\AllSettingsDisabledGpos.csv"
Set-Content -Path $reportFile -Value ("GPO Name,Settings")
Get-GPO -All | where{ $_.GpoStatus -eq "AllSettingsDisabled" } | % {
    add-Content -Path $reportFile -Value ($_.displayName+","+$_.gpoStatus)
}

Now let’s find Gpo’s that don’t apply to no one, and those that apply find out to who’m:

$reportFile = "c:\GPOReports\GPOApplyToPermissions.csv"
Set-Content -Path $reportFile -Value ("GPO Name,User/Group,Denied")
Get-GPO -All | %{
    $gpoName = $_.displayName
    [int]$counter = 0
    $security = $_.GetSecurityInfo()
    $security | where{ $_.Permission -eq "GpoApply" } | %{
        add-Content -Path $reportFile -Value ($gpoName + "," + $_.trustee.name+","+$_.denied)
        $counter += 1
    }
    if ($counter -eq 0)
    {
        add-Content -Path $reportFile -Value ($gpoName + ",NOT APPLIED")
    }
}

Get GPO’s, their links and WMI filters:

$reportFile = "c:\GPOReports\GPOLinksAndWMIFilters.csv"
Set-Content -Path $reportFile -Value ("GPO Name,# Links,Link Path,Enabled,No Override,WMI Filter")
$gpmc = New-Object -ComObject GPMgmt.GPM
$constants = $gpmc.GetConstants()
Get-GPO -All | %{
    [int]$counter = 0
    [xml]$report = $_.GenerateReport($constants.ReportXML)
    try
    {
        $wmiFilterName = $report.gpo.filtername
    }
    catch
    {
        $wmiFilterName = "none"
    }
    $report.GPO.LinksTo | % {
        if ($_.SOMPath -ne $null)
        {
            $counter += 1
            add-Content -Path $reportFile -Value ($report.GPO.Name + "," + $report.GPO.linksto.Count + "," + $_.SOMPath + "," + $_.Enabled + "," + $_.NoOverride + "," + $wmiFilterName)
        }
    }
    if ($counter -eq 0)
    {
        add-Content -Path $reportFile -Value ($report.GPO.Name + "," + $counter + "," + "NO LINKS" + "," + "NO LINKS" + "," + "NO LINKS")
    }
}

And let’s find the Organizational Units with Block GPO Inheritance:

We will need to load Active Directory module for this one also.

Import-Module ActiveDirectory
$reportFile = "c:\GPOReports\OUsWithBlockInharit.csv"
set-Content -Path $reportFile -Value ("Block Inharitance OU Path")
Get-ADOrganizationalUnit -SearchBase "DC=Your,DC=Domain" -Filter * | Get-GPInheritance | Where-Object { $_.GPOInheritanceBlocked } | %{
    add-Content -Path $reportFile -Value ($_.path)
}

Tagged: Add-Content, Get-ADOrganizationalUnit, Get-GPO, Get-GPOReport, GPO, Set-Content