PowerShell Script Domain Policy Management

in large and medium-sized enterprises, many group policies are set up for daily operations management, there are many obsolete strategies in Bijan, and we need to clean up our Group Policy information on a regular basis. Typically we export HTML reports to help us analyze Group Policy information:

#1

First you need to load the GroupPolicy module:

Import-module GroupPolicy

To export a GPO as an HTML report:

Get-gporeport-all-reporttype Html-path C:\GPOReports\GposReport.html

#2

Export each GPO to generate its own HTML report:

Get-gpo-all | %{get-gporeport-name $_.displayname-reporttype Html-path ("C:\GPOReports\" +$_.displayname+ ". html")}

#3

Let's query all the settings for the GPO policy that is disabled:

$reportFile = "C:\GPOReports\AllSettingsDisabledGpos.csv" Set-content-path $reportFile-value ("GPO name,settings") Get-gpo-all | where{$_. Gpostatus-eq "Allsettingsdisabled"} | % {Add-content-path $reportFile-value ($_.displayname+ "," +$_.gpostatus)}

#4

Query does not apply to any user's GPO policy

$reportFile = "C:\GPOReports\GPOApplyToPermissions.csv" Set-content-path $reportFile-value ("GPO Name,user/group, Denied ") Get-gpo-all | %{$gpoName = $_.displayname[int] $counter = 0$security = $_. GetSecurityInfo () $security | where{$_. Permission-eq "Gpoapply"} | %{add-content-path $reportFile-value ($gpoName + "," + $_.trustee.name+ "," +$_.denied ") $counter + = 1}if ($counter-eq 0) {A Dd-content-path $reportFile-value ($gpoName + ", Not Applied")}}

#4

Get GPOs, links, and WMI filters:

$reportFile  =  "C:\GPOReports\GPOLinksAndWMIFilters.csv" set-content -path  $reportFile   -value  ("Gpo name,# links,link path,enabled,no override,wmi filter") $GPMC  =  New-Object -ComObject GPMgmt.GPM$constants =  $GPMC. GetConstants () Get-gpo -all | %{[int] $counter  = 0[xml] $report  = $_. GenerateReport ($constants. Reportxml) try{$wmiFilterName  =  $report. gpo.filtername}catch{$wmiFilterName  =  "None"}$ Report. Gpo. linksto | % {if  ($_. sompath -ne  $null) {$counter  += 1add-Content -Path  $reportFile  -Value  ( $report. Gpo. name +  ","  +  $report. gpo.linksto.count +  ","  + $_. sompath +  ","  + $_. enabled +  ","  + $_. nooverride +  ","  +  $wmiFilterName)}}if  ($counter  -eq 0) {add-content - path  $reportFile -Value  ($report. Gpo. name +  ","  +  $counter  +  ","  +  "No links"  +  ","  +   "No links"  +  ","  +  "No links")}}

#5

The query has an organizational unit that prevents GPO inheritance:

Import-module activedirectory$reportfile = "C:\GPOReports\OUsWithBlockInharit.csv" Set-content-path $reportFile- Value ("Block inharitance OU Path") get-adorganizationalunit-searchbase "Dc=your,dc=domain"-filter * | Get-gpinheritance | Where-object {$_. Gpoinheritanceblocked} | %{add-content-path $reportFile-value ($_.path)}

PowerShell Script Domain Policy Management