Finding GPOs Without User Configurations

Tagged: 

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Matt Howard Matt Howard 4 months, 2 weeks ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #39004
    Profile photo of Paul Frankovich
    Paul Frankovich
    Participant

    I have been tasked with finding all of our GPOs applied to servers without user configurations and have them set to disable the user side, since we have some Citrix policies that apply loopback we cannot assume that it is all of them. I started with trying to use the UserVersion but quickly found out that some of our policies have had user settings at one point and now they don't so the version is higher than zero. So, I came up with using the Get-GPOReport in XML and testing that. This is the meat of the function I came up with but it is REALLY slow. I've searched and cannot find anything better. Any suggestiongs?

    $GPOs = Get-GPO -All | Where DisplayName -Like "Server -*"
    
    ForEach ($GPO in $GPOs)
    {
        [xml]$XML = Get-GPOReport -Name $GPO.DisplayName -ReportType Xml
        If (-not $XML.GPO.User.ExtensionData)
        {
            $GPO | Select DisplayName, ID, GpoStatus
        }
    }

    It works, but since it touches each GPO twice I'm thinking there has to be a better way I cannot seem to find.

    #39012
    Profile photo of Matt Howard
    Matt Howard
    Participant

    Try this one:

    Get-GPO -All | Where-Object { $_.DisplayName -like 'Server -*' } |
        ForEach-Object {
            [xml]$XML = Get-GPOReport -Name $_.DisplayName -ReportType Xml
            if (-not($XML.GPO.User.ExtensionData)) {
                $_ | Select-Object -Property DisplayName,Id,GpoStatus
            }
        }
    

    This runs Get-GPOReport as it retreives each GPO, with out the need to touch each GPO a second time.

    I tried it as a one-liner in the console like this:

    Get-GPO -All | ? { $_.DisplayName -like 'Server -*' } | % { [xml]$XML = Get-GPOReport -Name $_.DisplayName -ReportType Xml; if (-not($XML.GPO.User.ExtensionData)) { $_ | select DisplayName,Id,GpoStatus } }
    
Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.