I'm a complete novice with Powershell but love the flexibility it affords, so spend my time amending the work of others to suit my requirements. Unfortunately I've come up against a more complex report that's got me stumped.
What I'd like to do is fill in the following spreadsheet automatically rather than sift through hundreds of GPOs to decide whether they should be kept, deleted or edited:
| GPO Name |
Enforced |
Linked |
In Scope |
Accounts Used |
Computer settings Enabled |
User Settings Enabled |
Empty Computer |
Empty User |
Edit or Leave |
Keep or Delete |
|
No |
Yes |
Yes |
No |
Enabled |
Enabled |
Not Empty |
Not Empty |
Leave |
Keep |
The last two cells have some funky logic to fill in their results based on the entries of the previous ones:
=IF(OR(E2="Yes",AND(F2="Enabled",H2="Empty"),AND(G2="Enabled",I2="Empty")), "Edit","Leave")
=IF(OR(C2="No",D2="No",AND(F2="Disabled",G2="Disabled"),AND(H2="Empty",I2="Empty")),"Delete","Keep")
I've found various scripts that can return some of the values needed above but not all. The best I've found so far is from:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/ef3ab577-d4fe-4246-a242-dd270edbbe3f/script-to-detect-gpo-linked-but-not-enabled?forum=winserverpowershell
The end result by https://social.technet.microsoft.com/profile/jonathan%20borgeaud/?ws=usercard-mini
What I'd ideally like help with is individually reporting on each GPO found and return something like:
GPO-Name,Enforced,Linked,InScope,AccountsUsed,ComputerEnabled,USerEnabled,EmptyComputer,EmptyUser
I kind of think I'm asking WAY too much but it seems like a great way to quickly determine if you need to keep a GPO, delete it or edit the settings for best practice.
Thanking you all in advance!
