If you would like to read the first part in this article series please go to:
In the Part 1, we provided a list of Group Policy health check items that you should always consider including in your Active Directory Health check procedure. We provided a PowerShell script that can help you get a list of GPOs that have WMI filters configured and then identify the GPOs that have incorrect WMI filters configured. In Part 2, we will focus on gathering a list of GPOs that have been configured in the domain, but they are not applying to any user or computer accounts. There is no use of a Group Policy Object if the GPO does not apply to the user and/or computer objects. In other words, creating a large number of GPOs that do not apply to any objects may lead to unnecessary processing by the client side extensions running on the Active Directory clients. In Part 2 of this article series, we will provide a PowerShell script that you can use to retrieve the list of Group Policy Objects that have been configured in the domain but are not applying.
Requirements
Before you run the script, please ensure to meet the requirements mentioned below:
- Please configure a computer running Windows Server 2012 or later Operating Systems.
- Operating System must have Group Policy PowerShell modules installed. PowerShell script, explained below, uses Get-GPO PowerShell cmdlet.
- PDC Emulator for each domain must be available in order to gather the list of GPOs.
Note: The below script is part of Active Directory Dynamic Packs for use with Active Directory Health Profiler. AD Health Profiler ships with 97 Active Directory Dynamic Packs. Active Directory Dynamic Packs can be used to perform a complete Health Check of an Active Directory forest and help you generate a report with issue severity.
What does the script do?
The script performs the following functions:
- Retrieves all domains from the current Active Directory forest.
- Connects to the PDC emulator of each domain.
- Executes Get-GPO PowerShell cmdlet to collect GPOs and their settings.
- Checks to see how many GPOs are not applying.
- Script output is generated in C:\Temp\GPOsNotApplying.CSV file.
Script Contents
### Script Starts Here ###
$TotNo=0
$ItemCount=0
$TestText = ""
$TestStatus=""
$SumVal = ""
$GDomList = "C:\Temp\DomList.DPC"
Remove-item $GDomList -ErrorAction SilentlyContinue
$TestCSVFile = "C:\Temp\ GPOsNotApplying.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$CurForestName = "TechGenix.com"
$R=Get-ADForest $CurForestName
ForEach ($DomName in $R.Domains)
{
Add-Content $GDomList $DomName
}
ForEach ($ThisDomain in Get-Content "$GDomList")
{
$PDCServerToConnect = "Unknown"
IF ($HitWin2012DC -eq "Yes" -and $CredInputForPS -eq "File")
{
$PDCCSV = Import-CSV $PrefDCFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.'Preferred Domain Controller'
break
}
}
}
else
{
$PDCCSV = Import-CSV $PDCListFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.PDCServer
break
}
}
}
$Error.Clear()
$TotNotAppliedGPO=Get-GPO -All -Domain $ThisDomain -Server $PDCServerToConnect | %{
$gpoName = $_.displayName
$GPOStatusNow = $_.GPOStatus
[int]$counter = 0
$security = $_.GetSecurityInfo()
$security | where{ $_.Permission -eq "GpoApply" } | %{
$counter += 1
} }
IF ($Error.count -eq 0)
{
if ($counter -eq 0)
{
$FinalVal=$Gponame+","+$GPOStatusNow+","+$ThisDomain
Add-Content "$TestCSVFile" $FinalVal
$TotNo++
}
}
else
{
$ErrorOrNot="Yes"
}
}
IF ($ErrorOrNot -eq "Yes")
{
$TestText = "Please check to make sure a Domain Controller is reachable to execute Dynamic Pack."
$SumVal = ""
$TestStatus="Error executing Dynamic Pack."
}
else
{
$FinalText = ""
$SumVal=$ItemCount
IF ($TotNo -eq 0)
{
$TestText = "All GPOs have been configured to apply to required objects."
$SumVal = $TotNo
$TestStatus="Passed"
}
else
{
$TestText = "Some GPOs are NOT applying to any objects. Please check why these GPOs are not applying to any objects.
These GPOs might have some policy settings that you are expecting to apply to users and computers."
$TestStatus="High"
$SumVal = $TotNo
}
}
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText
### Script Ends Here ###
Once the script has finished executing for all domains in an Active Directory forest, a report will be generated in a CSV file as shown in the figure 1 below.
Figure 1 – Showing GPO CSV Report generated by the PowerShell Script
As you can see in the screenshot above, the script reported only the GPOs that have been enabled in the domain, but they do not apply to any objects. The script has found seven GPOs in the TechGenix.com domain which do not apply to any user or computer objects. The script is quite useful when you have hundreds of GPOs configured in your Active Directory domain and you don’t know what all GPOs are not applying. If you are using Active Directory Health Profiler, you can execute the Domain GPO Not Applied Test Dynamic Pack against an Active Directory Forest or a domain and then show the output of the Dynamic Pack in Active Directory Health Profiler console as shown in the Figure 2 below.
Figure 2 – Showing GPO Report in AD Health Profiler Console
Summary and Next GPO Health Check Item
In this part, we focused on gathering the list of GPOs that do not apply to any objects. You can include above PowerShell script in your Active Directory Health Check procedure. In case of any issues while running the script, please send an email to [email protected].
In the upcoming part, we are going to discuss our next GPO health check item that is collecting a list of GPOs that are disabled in the Active Directory domains.
