Finding GPOs Without User Configurations

This topic contains 1 reply, has 2 voices, and was last updated by  Matt Howard 2 years, 1 month ago.

  • Author
  • #39004

    Paul Frankovich

    I have been tasked with finding all of our GPOs applied to servers without user configurations and have them set to disable the user side, since we have some Citrix policies that apply loopback we cannot assume that it is all of them. I started with trying to use the UserVersion but quickly found out that some of our policies have had user settings at one point and now they don't so the version is higher than zero. So, I came up with using the Get-GPOReport in XML and testing that. This is the meat of the function I came up with but it is REALLY slow. I've searched and cannot find anything better. Any suggestiongs?

    $GPOs = Get-GPO -All | Where DisplayName -Like "Server -*"
    ForEach ($GPO in $GPOs)
        [xml]$XML = Get-GPOReport -Name $GPO.DisplayName -ReportType Xml
        If (-not $XML.GPO.User.ExtensionData)
            $GPO | Select DisplayName, ID, GpoStatus

    It works, but since it touches each GPO twice I'm thinking there has to be a better way I cannot seem to find.

  • #39012

    Matt Howard

    Try this one:

    Get-GPO -All | Where-Object { $_.DisplayName -like 'Server -*' } |
        ForEach-Object {
            [xml]$XML = Get-GPOReport -Name $_.DisplayName -ReportType Xml
            if (-not($XML.GPO.User.ExtensionData)) {
                $_ | Select-Object -Property DisplayName,Id,GpoStatus

    This runs Get-GPOReport as it retreives each GPO, with out the need to touch each GPO a second time.

    I tried it as a one-liner in the console like this:

    Get-GPO -All | ? { $_.DisplayName -like 'Server -*' } | % { [xml]$XML = Get-GPOReport -Name $_.DisplayName -ReportType Xml; if (-not($XML.GPO.User.ExtensionData)) { $_ | select DisplayName,Id,GpoStatus } }

You must be logged in to reply to this topic.