Author Posts

August 11, 2017 at 4:33 pm

I'm doing some gpo clean up and have identified gpo's that are disabled and/or not linked but I also want to go through and find ones that don't have any security filtering

What I have so far is:
get-gpo -all | Get-GPPermission -all | where permission -notmatch "gpoapply"

But what I don't know how to do is search based on NOT having gpoapply and also return the name of the GPO. I'm not locked down to this method of searching if someone has a better way.

Thoughts? Thanks!

August 11, 2017 at 5:04 pm

Well I did this

Get-GPO -All | 
    %{
       If ( $_ | Get-Gppermissions -all | where permission -NotMatch "gpoapply" )
        {
        Write-Host $_.DisplayName
        }
    }

and was able to get the display names, but that identified the flaw in my logic. Every gpo will have entries that don't match gpoapply!

Back to the drawing board...

August 11, 2017 at 8:42 pm

I've had the fun of working with GPOs recently as well and thought I would check to see if I could take a stab at it. Try the below

Get-GPO -All | ForEach-Object{
	if ((Get-GPPermission -Guid $_.id -All).permission -notcontains "GpoApply")
	{
		Write-Output $_
	}
}

I'm returning the whole object there – You can of course modify this down to suite your needs (example: write-output $_.displayname) but I have learned after being bit multiple times that when I filter output too early I almost always end up needing more of the object later on.

August 15, 2017 at 11:49 am

That worked, thank you!