Using Powershell to find Group Policy Strangeness

Nov
30
2010

Do you have any GPOs which are “not doing anything”? If so, why?

If you have zillions of GPOs, here’s a quick cleanup tip.

Use a Windows 7 machine and PowerShell to quickly find all GPOs which have all their settings disabled.

Here’s an example GPO with all the settings disabled.

image

Sure, you COULD click on every stinkin’ GPO you have in your domain.

-OR- you can use Powershell to quickly get to the bottom of things.

1. On a Windows 7 machine, open a command prompt.

2. Type “Powershell” (no quotes.)

3. Type “import-module Grouppolicy” (no quotes.)

4. Type the command you see here: get-gpo –all | sort gpostatus

The ones with “AllSettingsDisabled” will bubble up to the top.

image

All the Powershell propeller-heads are rolling their eyes right now, because they know there’s a cleaner way to produce the output of this… showing ONLY the ones that actually match the GpoStatus of “AllSettingsDisabled.”

Yes, yes, you purists…

Here’s how to do it:

get-gpo –all | where { $_.GPOstatus –eq “AllSettingsDisabled”}

image

Hope this helps you out!

Copyright © GPanswers.com. All rights reserved. GPanswers.com is a service of PolicyPak Software