Look for unused GPOs with PowerShell

24. November 2016

blog.feldmann.io

PowerShell Version: 4 
Modules: GroupPolicy

If you find yourself lost in the jungle of existing GPOs in your environment use some PowerShell to sort out the ones that might not be needed anymore.

# first of all get all GPOs that are available in the domain - make sure to use a domain administrator account for this
$gpos = Get-GPO -All
$gpo_compare_unlinked = @()
$gpo_compare_notapplied = @()

"Unlinked GPOs:"
foreach ($gpo in $gpos)
    {
     # to gather all needed information we will create a xml report of every GPO and sort out what we need...if GPO.LinksTo.SOMPath is empty the GPO is not linked
    [xml]$xmldata = Get-GPOReport -ReportType xml -Name $($gpo.Displayname)  
    if ($($xmldata.GPO.LinksTo.SOMPath) -eq $null)
        {
        #output the name of the unlinked GPO
        $gpo.Displayname
        # add the name to an array for later comparison
        $gpo_compare_unlinked += $gpo.Displayname   
        }
    }
# add a line break for a better overview
"`r"
"GPOs that are linked but deactivated:"
foreach ($gpo in $gpos)
    {
    # these GPOs are linked but their status is disabled as seen in GPO.LinksTo.enabled
    [xml]$xmldata = Get-GPOReport -ReportType xml -Name $($gpo.Displayname)
    if ($($xmldata.GPO.LinksTo.enabled)-eq $false)
        {
        $gpo.Displayname
        }
    }
 "`r"
"GPOs that are not applied:"
foreach ($gpo in $gpos)
    {
    # this was a bit tricky as the xml data does not show the information we need, it only shows the status -Apply Group Policy- if it is assigned
    [xml]$xmldata = Get-GPOReport -ReportType xml -Name $($gpo.Displayname)
    if ($($($xmldata.GPO.SecurityDescriptor.Permissions.TrusteePermissions.Standard.GPOGroupedAccessEnum) | where {($_ -like "Apply Group Policy")}) -ne "Apply Group Policy")
        {
        $gpo.Displayname
        $gpo_compare_notapplied += $gpo.Displayname
        }
    }
 "`r"
"GPOS that are neither linked nor applied:"
# use compare of the two created arrays to find the GPOs that are basically trash (unused)
(Compare-Object $gpo_compare_unlinked $gpo_compare_notapplied -IncludeEqual | where SideIndicator -eq "==").InputObject
#PowerShell
1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *


*