search for invalid GPO

 

$AllGPOs = Get-GPO -All

$GPOCount = $AllGPOs.count
write-host “”
write-host “Found $GPOCount GPOs…”
write-host “Analyzing, please wait…”

$InvalidGPOs = @()

#Disabled GPOs
$DisabledGPOs = $AllGPOs | where {$_.GpoStatus -match “AllSettingsDisabled”}
foreach ($DisabledGPO in $DisabledGPOs)
{
$GPOName = $DisabledGPO.Displayname
$InvalidGPOs += new-object PSObject -property @{GPOName=”$GPOName”;State=”Disabled”}
#write-host “Not active: $GPOName”
}

#GPO Links / Permissions / Empty GPOs
$EnabledGPOs = $AllGPOs | where {$_.GpoStatus -notmatch “AllSettingsDisabled”}
foreach ($EnabledGPO in $EnabledGPOs)
{
$GPOName = $EnabledGPO.Displayname
[XML]$GPOReport = Get-GPOReport $GPOName -ReportType XML
$GPOLinks = $GPOReport.GPO.LinksTo
$GPOApplyPermission = Get-GPPermission $GPOName -All | where {$_.Permission -match “GpoApply”}

if ($GPOLinks)
{
$GPOLinkCount = $GPOLinks.Count
$DisabledGPOLinksCount = ($GPOLinks | where {$_.enabled -eq “false”}).Count
if ($GPOLinkCount -eq $DisabledGPOLinksCount)
{
#write-host “All Links disabled: $GPOName”
$InvalidGPOs += new-object PSObject -property @{GPOName=”$GPOName”;State=”All Links disabled”}
}
}

if (!$GPOLinks)
{
$Sitelinked = Get-ADObject -LDAPFilter ‘(objectClass=site)’ -SearchBase “CN=Sites,$((Get-ADRootDSE).configurationNamingContext)” -SearchScope OneLevel -Properties gPLink | Where-Object { $_.gpLink -match $EnabledGPO.Id}
if (!$Sitelinked)
{
#write-host “Not linked: $GPOName”
$InvalidGPOs += new-object -TypeName PSObject -Property @{GPOName=”$GPOName”;State=’Not Linked’}
}
}

if (!$GPOApplyPermission)
{
#write-host “No permissions: $GPOName”
$InvalidGPOs += new-object PSObject -property @{GPOName=”$GPOName”;State=”No Permissions”}
}

if (!$GPOReport.GPO.Computer.ExtensionData -and !$GPOReport.GPO.User.ExtensionData)
{
#write-host “Empty GPO: $GPOName”
$InvalidGPOs += new-object PSObject -property @{GPOName=”$GPOName”;State=”Empty”}
}
}

$InvalidGPOs | sort state | ft GPOName,State

$InvalidGPOCount = $InvalidGPOs.Count
write-host “Found $InvalidGPOCount invalid GPOs”
write-host “”

#Optional: delete invalid GPOs

#foreach ($InvalidGPO in $InvalidGPOs)
# {
# Remove-GPO $InvalidGPO.GPOName
# }

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.