Author Posts

May 12, 2016 at 7:37 am

I have been tasked with finding all of our GPOs applied to servers without user configurations and have them set to disable the user side, since we have some Citrix policies that apply loopback we cannot assume that it is all of them. I started with trying to use the UserVersion but quickly found out that some of our policies have had user settings at one point and now they don't so the version is higher than zero. So, I came up with using the Get-GPOReport in XML and testing that. This is the meat of the function I came up with but it is REALLY slow. I've searched and cannot find anything better. Any suggestiongs?

$GPOs = Get-GPO -All | Where DisplayName -Like "Server -*"

ForEach ($GPO in $GPOs)
    [xml]$XML = Get-GPOReport -Name $GPO.DisplayName -ReportType Xml
    If (-not $XML.GPO.User.ExtensionData)
        $GPO | Select DisplayName, ID, GpoStatus

It works, but since it touches each GPO twice I'm thinking there has to be a better way I cannot seem to find.

May 12, 2016 at 11:13 am

Try this one:

Get-GPO -All | Where-Object { $_.DisplayName -like 'Server -*' } |
    ForEach-Object {
        [xml]$XML = Get-GPOReport -Name $_.DisplayName -ReportType Xml
        if (-not($XML.GPO.User.ExtensionData)) {
            $_ | Select-Object -Property DisplayName,Id,GpoStatus

This runs Get-GPOReport as it retreives each GPO, with out the need to touch each GPO a second time.

I tried it as a one-liner in the console like this:

Get-GPO -All | ? { $_.DisplayName -like 'Server -*' } | % { [xml]$XML = Get-GPOReport -Name $_.DisplayName -ReportType Xml; if (-not($XML.GPO.User.ExtensionData)) { $_ | select DisplayName,Id,GpoStatus } }