List installed certificate properties on remote computers
Cleanup your Group Policies with Powershell

You will find in this post two little scripts to help you on cleaning your unused Group Policies (GPO). The first script will help you to identify the GPO linked to an OU but with a disabled link. The second script will help you to target all the GPO that exist but not linked to any OU.

Find all GPOs with disabled links
$allGPOnames = get-gpo -all | select displayname

$allGPOnames |% {
	$dispGPO = $_.DisplayName
	[xml]$GPOReport = (get-gporeport -name $dispGPO -ReportType xml)
	$GPOReport.GPO.LinksTo | Foreach {$_ | select @{n="GPO Name"; e={$dispGPO}},SOMPath,Enabled }
}
Find all unlinked GPOs
$allGPOnames = get-gpo -all | select displayname
$array = @()
$allGPOnames |% {
	$dispGPO = $_.DisplayName
	[xml]$GPOReport = (get-gporeport -name $dispGPO -ReportType xml)
	if (-not($GPOReport.GPO.LinksTo )) { $array += $GPOReport.GPO | select @{n="GPO Name";e={"$dispGPO"}},CreatedTime, ModifiedTime }
}
$array

Reference about the cmdlet get-gporeport:

https://technet.microsoft.com/fr-fr/library/hh967460(v=wps.630).aspx

The Get-GPOReport cmdlet generates a report in either XML or HTML format that describes properties and policy settings for a specified GPO or for all GPOs in a domain. The information that is reported for each GPO includes: details, links, security filtering, WMI filtering, delegation, and computer and user configurations.

You can specify the All parameter to generate a report for every GPO in the domain, or you can specify either the Name or Guid parameter to generate a report for a single GPO. You can also pipe GPO objects into this cmdlet. If you specify a file by using the Path parameter, the report is written to a file; otherwise, it is printed to the display.

You can use the Domain parameter to explicitly specify the domain for this cmdlet.

If you do not explicitly specify the domain, the cmdlet uses a default domain. The default domain is the domain that is used to access network resources by the security context under which the current session is running. This domain is typically the domain of the user that is running the session. For example, the domain of the user who started the session by opening Windows PowerShell from the Program Files menu, or the domain of a user that is specified in a runas command. However, computer startup and shutdown scripts run under the context of the LocalSystem account. The LocalSystem account is a built-in local account, and it accesses network resources under the context of the computer account. Therefore, when this cmdlet is run from a startup or shutdown script, the default domain is the domain to which the computer is joined.

Only one domain can be used by an instance of this cmdlet. If you pipe a collection of GPO (Microsoft.GroupPolicy.Gpo) objects to this cmdlet, the DomainName property of the first GPO object in the collection specifies the domain for the cmdlet. (This is because “domainname” is a built-in alias for the Domain parameter, and the Domain parameter can take its value by property name from the pipeline.) A non-terminating error occurs for any GPOs in the collection that are not in this domain. If this domain is different from the domain of the user account (for startup or shutdown scripts, the computer account), a trust must exist between the two domains.

You find also some scripts on my site to play with Powershell and XML :
Play with the Windows Task Scheduler and XML
Get HP iLO board informations using XML

<>

My Powershell script categories

Cleanup your Group Policies with Powershell

Leave a Reply

Your email address will not be published.