In the previous part of this article series, we explained why it is important to provide a description text for each GPO. It is important to provide a descriptive text for each GPO if you have hundreds of GPOs and there are multiple IT Teams handling specific GPOs. The PowerShell script could help you get a list of GPOs that do not have a description text set, and then you can modify the description text for important GPOs. In this part, we will provide a PowerShell script that you can use to collect GPOs that do not follow standards, such as GPO names that are longer, GPOs that do not have a prefix or suffix, GPOs that have not been named correctly, etc.
There are several reasons why you need to ensure that the GPO names are shorter and follow a standard naming convention. In a large Active Directory environment where there are hundreds of GPOs, it becomes necessary that you follow a standard naming convention for each GPO so it is easy for IT teams to identify the GPOs easily. You may not want your sales IT team to touch finance GPOs, and vice-versa. That’s where this article comes in handy. In this article, we will provide a PowerShell script that can help you collect GPOs names that are more than 60 characters and GPOs that do not follow a standard naming convention.
Our PowerShell script, explained shortly, does not implement any function to identify GPOs with any given prefix or suffix, but if you have implemented any naming convention for GPOs, the script can help you know which GPOs do not follow naming conventions.
After collecting the GPO information from each domain, you can modify the GPO names. Note there will be no downtime of GPOs if GPO names are modified. Every object in Active Directory including GPO names is identified by their GUID, not names. So, items like GPO description and GPO names can be modified without any impact to Active Directory environment.
Requirements
Before you run the script, please ensure you meet the requirements mentioned below:
- PowerShell script must be executed from a Windows Server 2012 or later operating systems.
- Install Group Policy PowerShell Modules by enabling GPMC feature via Server Manager. Note that PowerShell script uses Get-GPO cmdlet, which is part of GPMC feature.
- PDC Emulator for each domain must be available in order to gather the list of GPOs. The PowerShell script below collects GPOs from each domain in an Active Directory domain. In order to contact the domain, the script connects to PDC Emulator of every domain.
What does the script do?
The script performs the following functions:
- Retrieves all domains from the current Active Directory forest. You can also specify Active Directory Forest name in $CurForestName Current forest that we use in the script is “TechGenix.com.”
- Connects to the PDC emulator of each domain in Active Directory.
- Executes Get-GPO PowerShell cmdlet to collect all GPOs and their names.
- Script checks to see how many GPOs are larger than 60 characters.
- Script output is generated in C:\Temp\GPOsNames.CSV file.
### Script Starts Here ###
$TotNo=0
$ItemCount=0
$TestText = “”
$TestStatus=””
$SumVal = “”
$IsNameOk=”Yes”
$GDomList = “C:\Temp\DomList.DPC”
Remove-item $GDomList -ErrorAction SilentlyContinue
$TestCSVFile = “C:\Temp\GPOsNames.CSV”
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$CurForestName = “TechGenix.com”
$R=Get-ADForest $CurForestName
ForEach ($DomName in $R.Domains)
{
Add-Content $GDomList $DomName
}
ForEach ($ThisDomain in Get-Content “$GDomList”)
{
$PDCServerToConnect = “Unknown”
IF ($HitWin2012DC -eq “Yes” -and $CredInputForPS -eq “File”)
{
$PDCCSV = Import-CSV $PrefDCFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.’Preferred Domain Controller’
break
}
}
}
else
{
$PDCCSV = Import-CSV $PDCListFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.PDCServer
break
}
}
}
$Error.Clear()
$AllGPODes = Get-GPO -ALL -Domain $ThisDomain -Server $PDCServerToConnect
IF ($Error.count -eq 0)
{
}
else
{
$ErrorOrNot=”Yes”
}
IF ($ErrorOrNot -eq “Yes”)
{
$TestText = “Please check to make sure a Domain Controller is reachable to execute Dynamic Pack.”
$SumVal = “”
$TestStatus=”Error executing Dynamic Pack.”
}
else
{
$Items = $AllGPODes
$ItemCount=$AllGPODes.Count
$FinalText = “”
$SumVal=$ItemCount
ForEach ($ThisItem in $Items)
{
$RNameNow = ($ThisItem.DisplayName | Measure-Object -Character).Characters
$StatusNow=”Ok”
IF ($RNameNow -gt 60)
{
$TotNo++
$IsNameOk=”No”
$StatusNow=”Please ensure GPO name follow production naming convention.”
}
$FinalVal=$ThisDomain+”,”+$PDCServerToConnect+”,”+$ThisItem.DisplayName+”,”+$RNameNow+”,”+$StatusNow
Add-Content “$TestCSVFile” $FinalVal
}
IF ($IsNameOk -eq “No”)
{
$TestText = “Some GPOs names are more than 60 characters. It is recommended to have shorter GPO names.”
$TestStatus=”Medium”
$SumVal = $TotNo
}
IF ($IsNameOk -eq “Yes”)
{
$TestText = “All GPOs have shorter names. However, please ensure all GPOs follow a standard naming convention.”
$TestStatus=”Passed”
$SumVal = $TotNo
}
}
}
$STR = $ADTestName +”,”+$TestStartTime+”,”+$TestStatus+”,”+$SumVal +”,”+$TestText
### Script Ends Here ###
Once the script has finished executing for all domains in an Active Directory forest, a report will be generated in a CSV file as shown in the screenshot below.
As you can see in the screenshot, the script has reported all the GPOs from each domain in the Active Directory forest. The only check that the above PowerShell script performs is to check the length of the GPO names. As you can see in the screenshot, the script reported that two GPOs have longer names. The script uses “$CurForestName” variable to connect with the Active Directory forest, collects the domains and then fetch all the GPOs from each domain. If you are using Active Directory Health Profiler, you can execute the Domain GPO Naming Test Dynamic Pack against an Active Directory forest or a domain and then show the output of the Dynamic Pack in Active Directory Health Profiler console as shown in the screenshot below.
Summary and next GPO health check item
In this part, we focused on gathering the list of GPOs that do not follow the production naming convention and GPOs that are longer than 60 characters. You can include the above PowerShell script in your Active Directory health check procedure. In case of any issues while running the script, please send an email to [email protected].
In the final part of this series, we are going to explain Block Policy Inheritance setting and give you a PowerShell script to collect organizational units that have Block Policy Inheritance option set.
If you would like to read other parts of this series, go to:
