Look for unused GPOs with PowerShell
24. November 2016
PowerShell Version: 4
Modules: GroupPolicy
If you find yourself lost in the jungle of existing GPOs in your environment use some PowerShell to sort out the ones that might not be needed anymore.
# first of all get all GPOs that are available in the domain - make sure to use a domain administrator account for this $gpos = Get-GPO -All $gpo_compare_unlinked = @() $gpo_compare_notapplied = @() "Unlinked GPOs:" foreach ($gpo in $gpos) { # to gather all needed information we will create a xml report of every GPO and sort out what we need...if GPO.LinksTo.SOMPath is empty the GPO is not linked [xml]$xmldata = Get-GPOReport -ReportType xml -Name $($gpo.Displayname) if ($($xmldata.GPO.LinksTo.SOMPath) -eq $null) { #output the name of the unlinked GPO $gpo.Displayname # add the name to an array for later comparison $gpo_compare_unlinked += $gpo.Displayname } } # add a line break for a better overview "`r" "GPOs that are linked but deactivated:" foreach ($gpo in $gpos) { # these GPOs are linked but their status is disabled as seen in GPO.LinksTo.enabled [xml]$xmldata = Get-GPOReport -ReportType xml -Name $($gpo.Displayname) if ($($xmldata.GPO.LinksTo.enabled)-eq $false) { $gpo.Displayname } } "`r" "GPOs that are not applied:" foreach ($gpo in $gpos) { # this was a bit tricky as the xml data does not show the information we need, it only shows the status -Apply Group Policy- if it is assigned [xml]$xmldata = Get-GPOReport -ReportType xml -Name $($gpo.Displayname) if ($($($xmldata.GPO.SecurityDescriptor.Permissions.TrusteePermissions.Standard.GPOGroupedAccessEnum) | where {($_ -like "Apply Group Policy")}) -ne "Apply Group Policy") { $gpo.Displayname $gpo_compare_notapplied += $gpo.Displayname } } "`r" "GPOS that are neither linked nor applied:" # use compare of the two created arrays to find the GPOs that are basically trash (unused) (Compare-Object $gpo_compare_unlinked $gpo_compare_notapplied -IncludeEqual | where SideIndicator -eq "==").InputObject