find gpo's without security filtering

This topic contains 3 replies, has 2 voices, and was last updated by  Jon 3 days, 15 hours ago.

  • Author
    Posts
  • #77224

    Jon
    Participant

    I'm doing some gpo clean up and have identified gpo's that are disabled and/or not linked but I also want to go through and find ones that don't have any security filtering

    What I have so far is:
    get-gpo -all | Get-GPPermission -all | where permission -notmatch "gpoapply"

    But what I don't know how to do is search based on NOT having gpoapply and also return the name of the GPO. I'm not locked down to this method of searching if someone has a better way.

    Thoughts? Thanks!

  • #77229

    Jon
    Participant

    Well I did this

    Get-GPO -All | 
        %{
           If ( $_ | Get-Gppermissions -all | where permission -NotMatch "gpoapply" )
            {
            Write-Host $_.DisplayName
            }
        }
    

    and was able to get the display names, but that identified the flaw in my logic. Every gpo will have entries that don't match gpoapply!

    Back to the drawing board...

  • #77245

    Paul DeArment Jr
    Participant

    I've had the fun of working with GPOs recently as well and thought I would check to see if I could take a stab at it. Try the below

    Get-GPO -All | ForEach-Object{
    	if ((Get-GPPermission -Guid $_.id -All).permission -notcontains "GpoApply")
    	{
    		Write-Output $_
    	}
    }
    

    I'm returning the whole object there – You can of course modify this down to suite your needs (example: write-output $_.displayname) but I have learned after being bit multiple times that when I filter output too early I almost always end up needing more of the object later on.

  • #77299

    Jon
    Participant

    That worked, thank you!

You must be logged in to reply to this topic.