Thursday, January 16, 2014

PowerShell Script: HouseKeeping GPO Report

Hello there !! 

My first post for 2014 is going to be about a Powershell script I just created to produce a GPO Report to keep track of the environment and also list GPOs for housekeeping tasks such as listing all the GPOs without WMIfilter, all the GPOs linked to a particular OU, ...

None of the GroupPolicy cmdlets that come with the GroupPolicy Module in RSAT actually allowed me to produce an all in one report based on the actual object configuration (i.e.: OU Linked, WMI filter applied, Security filtering, ... ).

It is assumed that you have imported the GroupPolicy module and that you have set the ExecutionPolicy properly on your system beforehand so that you can run the script locally.

What the script does: 

The script gets a specified list or all of the GPO in a domain and returns the following list of properties per GPO and per OU Link:
GPOName, LinksPath, WmiFilter, CreatedTime, ModifiedTime, ComputerRevisionsAD, ComputerRevisionsSYSVOL, UserRevisionsAD, UserRevisionsSYSVOL, ComputerSettingsEnabled, UserSettingsEnabled, SecurityFilter.

 In other words if a GPO is linked to more than one OU it will appear once per OU where it is linked in the report. That is the same as the GPMC display tree view.

The report focuses on what is actually in effect on the domain, therefore:
- Links that are not enabled are discarded automatically.
- Security filtering for groups, users and computers that have been deleted from the domain but are still showing as SID in the GPO are skipped and not showing the report.

How it works: 

Here are a few syntax example to use the script. 

& Get-GPOReport.ps1 -All | Out-GridView
      The script creates a report for all the GPOs on the domain.

& Get-GPOReport.ps1 -GPOList  GPOName1,GPOName2,GPOName3 | ConverTo-Csv -Delimiter ','
      The script creates a report for the specified GPO.

$a = Get-Content C:\MyListOfGPOs.txt 
& Get-GPOReport.ps1 -GPOList $a | Export-Csv -Delimiter ',' -Path C:\MyGPOReport.csv
      The script creates a report for the GPOs specified in C:\MyListOfGPOs.txt.

Download Link:

https://drive.google.com/file/d/0B3ED4HUGG162LTNWWGNRaENVWmc/edit?usp=sharing

Script Content:

#Created by toussman@gmail.com on 16/01/2014 
#http://theplatformadmin.blogspot.co.uk/

param(
[parameter(Mandatory = $False )][array]$GPOList,
    [parameter(Mandatory = $False )][switch]$All
)

if( $All ){$GPOList = (Get-Gpo -All).DisplayName}
If( $GPOList -eq $null){Write-Host "Specify a list of GPOs!!"; Break}

$colGPOLinks = @()

foreach ($GPOItem in $GPOList){
       
    [xml]$gpocontent = Get-GPOReport $GPOItem -ReportType xml
    $LinksPaths = $gpocontent.GPO.LinksTo | ?{$_.Enabled -eq $True} | %{$_.SOMPath}
    $Wmi = Get-GPO $GPOItem | Select-Object WmiFilter
    
    $CreatedTime = $gpocontent.GPO.CreatedTime
    $ModifiedTime = $gpocontent.GPO.ModifiedTime
    
    $CompVerDir = $gpocontent.GPO.Computer.VersionDirectory
    $CompVerSys = $gpocontent.GPO.Computer.VersionSysvol
    $CompEnabled = $gpocontent.GPO.Computer.Enabled
    
    $UserVerDir = $gpocontent.GPO.User.VersionDirectory
    $UserVerSys = $gpocontent.GPO.User.VersionSysvol
    $UserEnabled = $gpocontent.GPO.User.Enabled

    $SecurityFilter = ((Get-GPPermissions -Name $GPOItem -All | ?{$_.Permission -eq "GpoApply"}).Trustee | ?{$_.SidType -ne "Unknown"}).name -Join ','

    foreach ($LinksPath in $LinksPaths){
        $objGPOLinks = New-Object System.Object
        $objGPOLinks | Add-Member -type noteproperty -name GPOName -value $GPOItem
        $objGPOLinks | Add-Member -type noteproperty -name LinksPath -value $LinksPath
        $objGPOLinks | Add-Member -type noteproperty -name WmiFilter -value ($wmi.WmiFilter).Name
        $objGPOLinks | Add-Member -type noteproperty -name CreatedTime -value $CreatedTime
        $objGPOLinks | Add-Member -type noteproperty -name ModifiedTime -value $ModifiedTime
        $objGPOLinks | Add-Member -type noteproperty -name ComputerRevisionsAD -value $CompVerDir
        $objGPOLinks | Add-Member -type noteproperty -name ComputerRevisionsSYSVOL -value $CompVerSys
        $objGPOLinks | Add-Member -type noteproperty -name UserRevisionsAD -value $UserVerDir
        $objGPOLinks | Add-Member -type noteproperty -name UserRevisionsSYSVOL -value $UserVerSys
        $objGPOLinks | Add-Member -type noteproperty -name ComputerSettingsEnabled -value $CompEnabled
        $objGPOLinks | Add-Member -type noteproperty -name UserSettingsEnabled -value $UserEnabled
        $objGPOLinks | Add-Member -type noteproperty -name SecurityFilter -value $SecurityFilter

        $colGPOLinks += $objGPOLinks
    }
}

$colGPOLinks | sort-object GPOName, LinksPath 

Well, that's it for this post. 

I hope you will find the script useful and if you have any suggestions or spot something that can be improved (I am no PowerShell Guru) leave me a comment to let me know. 

Until next time !! 
Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)