Engineering SOE, GPOs, Citrix for Desktop Platform Administration: January 2014

Friday, January 17, 2014

PowerShell Script: GPO replication status across Domain Controller

Helloooo !!

A colleague asked me to create a PS script to check for a given GPO its AD and Sysvol versions across all Domain Controllers.

So I wrote this script that utilize the ActiveDirectory and GroupPolicy Module.

Depending on the size of your domain it can take a couple of minutes to contact each DC and retrieve the info, so launch it and go for a coffee or something...

In the same fashion as for the script from my last post, we will again be using a system object to collect all of the data together, which gives you the option to pipe it nicely to display the data or create CSV reports.
So here we go:

What the script does:

This script takes the name of the GPO you want to check the replication status as an argument.

It then uses the get-addomaincontroller cmdlet from the ActiveDirectory Module to gather a list of all domain controllers host name to query.

The retrieval of the versions on each DC is done using the Get-GPO cmdlet with -server option.

All of it is then wacked into a System.Object which is output at the end of the process.

It is assumed that the ActiveDirectory and GroupPolicy modules are already imported in your session and that you have set the ExecutionPolicy properly on your system beforehand so that you can run the script locally.

How it works:

Here are a few syntax example to use the script.

& Get-GPOReplicationReport.ps1 "My GPO Name_v1.5" | Out-GridView

The script creates a report for the specified GPO and display it in the out.GridView window.

& Get-GPOReplicationReport.ps1 "My GPO Name_v1.5" | ConverTo-Csv -Delimiter ','

The script creates a report for the specified GPO and display it in the powershell host window as a comma delimited string (for copy and paste) .

& Get-GPOReplicationReport.ps1 "My GPO Name_v1.5" | Export-Csv -Delimiter ',' -Path C:\MyGPOReplicationReport.csv
The script creates a report for the specified GPO and save it as a CSV file.

Download Link:

https://drive.google.com/file/d/0B3ED4HUGG162V2FQcXJTSW03Rk0/edit?usp=sharing

Script Content:

#Created by toussman@gmail.com on 17/01/2014

#http://theplatformadmin.blogspot.co.uk/

param(

[parameter(Mandatory = $TRue )][String]$GPOName

)

$DCList = (get-addomaincontroller -filter *).hostname

$colGPOVer = @()

foreach ($DC in $DCList){

$objGPOVers = New-Object System.Object

$GPOObj = Get-GPO $GPOName -server $DC

$UserVersion = [string]$GPOObj.User.DSVersion + ' (AD), ' + [string]$GPOObj.User.SysvolVersion + ' (sysvol)'

$ComputerVersion = [string]$GPOObj.Computer.DSVersion + ' (AD), ' + [string]$GPOObj.Computer.SysvolVersion + ' (sysvol)'

$objGPOVers | Add-Member -type noteproperty -name GPOName -value $GPOName

$objGPOVers | Add-Member -type noteproperty -name DCName -value $DC

$objGPOVers | Add-Member -type noteproperty -name UserVersion -value $UserVersion

$objGPOVers | Add-Member -type noteproperty -name ComputerVersion -value $ComputerVersion

$colGPOVer += $objGPOVers

}

$colGPOVer | sort-object GPOName, DCName

Well, that's it for this post.

I hope you will find the script useful and if you have any suggestions or spot something that can be improved leave me a comment to let me know.

Until next time !!

Thursday, January 16, 2014

PowerShell Script: HouseKeeping GPO Report

Hello there !!

My first post for 2014 is going to be about a Powershell script I just created to produce a GPO Report to keep track of the environment and also list GPOs for housekeeping tasks such as listing all the GPOs without WMIfilter, all the GPOs linked to a particular OU, ...

None of the GroupPolicy cmdlets that come with the GroupPolicy Module in RSAT actually allowed me to produce an all in one report based on the actual object configuration (i.e.: OU Linked, WMI filter applied, Security filtering, ... ).

It is assumed that you have imported the GroupPolicy module and that you have set the ExecutionPolicy properly on your system beforehand so that you can run the script locally.

What the script does:

The script gets a specified list or all of the GPO in a domain and returns the following list of properties per GPO and per OU Link:
GPOName, LinksPath, WmiFilter, CreatedTime, ModifiedTime, ComputerRevisionsAD, ComputerRevisionsSYSVOL, UserRevisionsAD, UserRevisionsSYSVOL, ComputerSettingsEnabled, UserSettingsEnabled, SecurityFilter.

In other words if a GPO is linked to more than one OU it will appear once per OU where it is linked in the report. That is the same as the GPMC display tree view.

The report focuses on what is actually in effect on the domain, therefore:
- Links that are not enabled are discarded automatically.
- Security filtering for groups, users and computers that have been deleted from the domain but are still showing as SID in the GPO are skipped and not showing the report.

How it works:

Here are a few syntax example to use the script.

& Get-GPOReport.ps1 -All | Out-GridView

The script creates a report for all the GPOs on the domain.

& Get-GPOReport.ps1 -GPOList GPOName1,GPOName2,GPOName3 | ConverTo-Csv -Delimiter ','

The script creates a report for the specified GPO.

$a = Get-Content C:\MyListOfGPOs.txt
& Get-GPOReport.ps1 -GPOList $a | Export-Csv -Delimiter ',' -Path C:\MyGPOReport.csv
The script creates a report for the GPOs specified in C:\MyListOfGPOs.txt.

Download Link:

https://drive.google.com/file/d/0B3ED4HUGG162LTNWWGNRaENVWmc/edit?usp=sharing

Script Content:

#Created by toussman@gmail.com on 16/01/2014

#http://theplatformadmin.blogspot.co.uk/

param(

[parameter(Mandatory = $False )][array]$GPOList,

[parameter(Mandatory = $False )][switch]$All

)

if( $All ){$GPOList = (Get-Gpo -All).DisplayName}

If( $GPOList -eq $null){Write-Host "Specify a list of GPOs!!"; Break}

$colGPOLinks = @()

foreach ($GPOItem in $GPOList){

[xml]$gpocontent = Get-GPOReport $GPOItem -ReportType xml

$LinksPaths = $gpocontent.GPO.LinksTo | ?{$_.Enabled -eq $True} | %{$_.SOMPath}

$Wmi = Get-GPO $GPOItem | Select-Object WmiFilter

$CreatedTime = $gpocontent.GPO.CreatedTime

$ModifiedTime = $gpocontent.GPO.ModifiedTime

$CompVerDir = $gpocontent.GPO.Computer.VersionDirectory

$CompVerSys = $gpocontent.GPO.Computer.VersionSysvol

$CompEnabled = $gpocontent.GPO.Computer.Enabled

$UserVerDir = $gpocontent.GPO.User.VersionDirectory

$UserVerSys = $gpocontent.GPO.User.VersionSysvol

$UserEnabled = $gpocontent.GPO.User.Enabled

$SecurityFilter = ((Get-GPPermissions -Name $GPOItem -All | ?{$_.Permission -eq "GpoApply"}).Trustee | ?{$_.SidType -ne "Unknown"}).name -Join ','

foreach ($LinksPath in $LinksPaths){

$objGPOLinks = New-Object System.Object

$objGPOLinks | Add-Member -type noteproperty -name GPOName -value $GPOItem

$objGPOLinks | Add-Member -type noteproperty -name LinksPath -value $LinksPath

$objGPOLinks | Add-Member -type noteproperty -name WmiFilter -value ($wmi.WmiFilter).Name

$objGPOLinks | Add-Member -type noteproperty -name CreatedTime -value $CreatedTime

$objGPOLinks | Add-Member -type noteproperty -name ModifiedTime -value $ModifiedTime

$objGPOLinks | Add-Member -type noteproperty -name ComputerRevisionsAD -value $CompVerDir

$objGPOLinks | Add-Member -type noteproperty -name ComputerRevisionsSYSVOL -value $CompVerSys

$objGPOLinks | Add-Member -type noteproperty -name UserRevisionsAD -value $UserVerDir

$objGPOLinks | Add-Member -type noteproperty -name UserRevisionsSYSVOL -value $UserVerSys

$objGPOLinks | Add-Member -type noteproperty -name ComputerSettingsEnabled -value $CompEnabled

$objGPOLinks | Add-Member -type noteproperty -name UserSettingsEnabled -value $UserEnabled

$objGPOLinks | Add-Member -type noteproperty -name SecurityFilter -value $SecurityFilter

$colGPOLinks += $objGPOLinks

}

$colGPOLinks | sort-object GPOName, LinksPath

Well, that's it for this post.

I hope you will find the script useful and if you have any suggestions or spot something that can be improved (I am no PowerShell Guru) leave me a comment to let me know.

Until next time !!