Get-GroupPolicyObject : Query AD to get Group Policy objects

This script uses the DirectoryServices.DirectorySearcher object to get all or a selection of Group Policy Objects. Because the DirectoryService.DirectorySearcher objects is use the Active Directory module is not required and the script has no dependency on external modules.

 
 
 
 
 
5 Star
(1)
1,958 times
Add to favorites
Active Directory
7/30/2013
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Restricted Group settings
    2 Posts | Last post July 29, 2016
    • Your script works when searching on settings with simple tags(ie firewall ports), but I can't to get it to work on Restricted group membership settings.
      <Computer>
      <VersionDirectory>2</VersionDirectory>
      <VersionSysvol>2</VersionSysvol>
      <Enabled>true</Enabled>
      <ExtensionData>
      <Extension xsi:type="q1:SecuritySettings" xmlns:q1="http://www.microsoft.com/GroupPolicy/Settings/Security">
      <q1:RestrictedGroups>
      <q1:GroupName>
      <SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-32-544</SID>
      <Name xmlns="http://www.microsoft.com/GroupPolicy/Types">BUILTIN\Administrators</Name>
      </q1:GroupName>
      <q1:Member>
      <SID xmlns="http://www.microsoft.com/GroupPolicy/Types">S-1-5-21-3417192146-1218046681-316906865-1106</SID>
      <Name xmlns="http://www.microsoft.com/GroupPolicy/Types">MFB2287\gpotest</Name>
      </q1:Member>
      </q1:RestrictedGroups>
      </Extension>
      <Name>Security</Name>
      </ExtensionData>
      </Computer>
      
      
      Do you have any suggestions?
      
      A little background:  I have a new client(global enterprise size with 50,000 server objects in AD) that has thousands of GPOs and they are a mess.  They have failed a security audit and need to clean up local admins on all servers.  Over the years their GPOs have become quite a mess finding the correct GPOs manually is almost impossible.
      
      Thank you, Mark
      
      
      
      
      
    • What kind of information would you like to retrieve, what information is important for you to complete your task. If you know that then you can start collecting the information accordingly.
      
      To give you an idea of what content is available you could run something along these lines:
      .\Get-GroupPolicyObject.ps1 testpolicy | Select-Object *,@{n='restrictedgroupscontent';
      e={(Get-Content -Path "$($_.Filepath)\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf") -join "`r`n"}}