locked
Script to detect GPO's status and report to CSV file RRS feed

  • Question

  • I'm a complete novice with Powershell but love the flexibility it affords, so spend my time amending the work of others to suit my requirements. Unfortunately I've come up against a more complex report that's got me stumped.

    What I'd like to do is fill in the following spreadsheet automatically rather than sift through hundreds of GPOs to decide whether they should be kept, deleted or edited:

    GPO Name Enforced Linked In Scope Accounts Used Computer settings Enabled User Settings Enabled Empty Computer Empty User Edit or Leave Keep or Delete
    No Yes Yes No Enabled Enabled Not Empty Not Empty Leave Keep

    The last two cells have some funky logic to fill in their results based on the entries of the previous ones:

    =IF(OR(E2="Yes",AND(F2="Enabled",H2="Empty"),AND(G2="Enabled",I2="Empty")), "Edit","Leave")

    =IF(OR(C2="No",D2="No",AND(F2="Disabled",G2="Disabled"),AND(H2="Empty",I2="Empty")),"Delete","Keep")

    I've found various scripts that can return some of the values needed above but not all. The best I've found so far is from:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/ef3ab577-d4fe-4246-a242-dd270edbbe3f/script-to-detect-gpo-linked-but-not-enabled?forum=winserverpowershell

    The end result by https://social.technet.microsoft.com/profile/jonathan%20borgeaud/?ws=usercard-mini 

    What I'd ideally like help with is individually reporting on each GPO found and return something like:

    GPO-Name,Enforced,Linked,InScope,AccountsUsed,ComputerEnabled,USerEnabled,EmptyComputer,EmptyUser

    I kind of think I'm asking WAY too much but it seems like a great way to quickly determine if you need to keep a GPO, delete it or edit the settings for best practice.

    Thanking you all in advance!

    Tuesday, September 18, 2018 9:41 AM