none
Remove deprecated IE Maintenance for domains GPO

    Question

  • I submit to the community this script I wrote to clean all domains GPOs from the old IE Maintenance.

    Please check the script carefully before executing it and give your contributions. I will not be responsible for any damages caused by the execution of this script.

    #Remove the deprecated IE Maintenance from all domain's GPOs
    #Author: Giacomin Enrico
    #Data ultima <g class="gr_ gr_345 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="345" id="345">modifica</g> 20/1/2017
    #Get all GPOs
    $gpos= Get-ADObject -Filter * -SearchBase "CN=Policies,CN=System,DC=caaf,DC=loc" | ? {($_.distinguishedName -like "CN=*,CN=Policies,CN=System,DC=caaf,DC=loc") -and ($_.objectClass -eq "groupPolicyContainer")}
    #File di log
    $logFile="c:\agg\log99.txt"
    #Strings
    $find="\[{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]"
    $replace=""
    #subtitution loop
    foreach($gpo in $gpos){
    #Get Object properties
    $gpoAttrValue= $gpo | Get-ADObject -Properties gPCUserExtensionNames,distinguishedName,displayName
    # Check IE GPO extention and replace it
    if ($gpoAttrValue.gPCUserExtensionNames -match $find){
        $newGpoAttrValue=$gpoAttrValue.gPCUserExtensionNames -replace $find, $replace
        #Write a log file
        Write-Output "###########################################################" | Out-File $logFile -Append
        Write-Output "DN della GPO" | Out-File $logFile -Append
        Write-Output $gpoAttrValue.DistinguishedName | Out-File $logFile -Append
        Write-Output "Nome della GPO" | Out-File $logFile -Append
        Write-Output $gpoAttrValue.DisplayName| Out-File $logFile -Append
        Write-Output "Estensioni presenti prima della sostituzione" | Out-File $logFile -Append
        Write-Output $gpoAttrValue.gPCUserExtensionNames | Out-File $logFile -Append
        Write-Output "Estensioni presenti dopo la sostituzione" | Out-File $logFile -Append
        Write-Output "$newGpoAttrValue" | Out-File $logFile -Append
        #Replacing attribute value (Still commented - Remove # if you are sure it's working
        #Set-ADObject -Identity $gpoAttrValue.DistinguishedName -Replace @{gPCUserExtensionNames="$newGpoAttValue"}
        }
    }

    #End

    I'll be very glad to receive your comments and corrections. Thank you.

    Enrico



    Friday, January 20, 2017 3:37 PM

All replies

  • I corrected a mistake on the set-adobject and add some details to the log:

    #Remove the deprecated IE Maintenance from all domain's GPOs

    #Author: Giacomin Enrico

    #Data ultima modifica 20/1/2017

    #Get all GPOs

    $gpos= Get-ADObject -Filter * -SearchBase "CN=Policies,CN=System,DC=caaf,DC=loc" | ? {($_.distinguishedName -like "CN=*,CN=Policies,CN=System,DC=caaf,DC=loc") -and ($_.objectClass -eq "groupPolicyContainer")}

    #File di log

    $logFile="c:\agg\log99.txt"

    #Strings

    $find="\[{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]"

    $replace=""

    #subtitution loop

    foreach($gpo in $gpos){

        #Get Object properties

        $gpoAttrValue= $gpo | Get-ADObject -Properties gPCUserExtensionNames,distinguishedName,displayName

        # Check IE GPO extention and replace it

        if ($gpoAttrValue.gPCUserExtensionNames -match $find){

            $actGpoAttrValue=$gpoAttrValue.gPCUserExtensionNames

            $newGpoAttrValue=$actGpoAttrValue -replace $find, $replace

            #Write a log file

            Write-Output "###########################################################" | Out-File $logFile -Append

            Write-Output "DN of the GPO" | Out-File $logFile -Append

            Write-Output $gpoAttrValue.DistinguishedName | Out-File $logFile -Append

            Write-Output "GPO Name" | Out-File $logFile -Append

            Write-Output $gpoAttrValue.DisplayName| Out-File $logFile -Append

            Write-Output "Original GPO extensions" | Out-File $logFile -Append

            Write-Output "$actGpoAttrValue" | Out-File $logFile -Append

            Write-Output "New GPO extensions | Out-File $logFile -Append

            Write-Output "$newGpoAttrValue" | Out-File $logFile -Append

            #Replacing attribute value (Still commented - Remove # if you are sure it's working

            #get-ADObject "CN={CF0C681B-FCF9-49DE-B853-ABECB65449A6},CN=Policies,CN=System,DC=caaf,DC=loc" -Properties * | Set-ADObject -clear gPCUserExtensionNames

            #get-ADObject "CN={CF0C681B-FCF9-49DE-B853-ABECB65449A6},CN=Policies,CN=System,DC=caaf,DC=loc" -Properties * | Set-ADObject -add @{gPCUserExtensionNames="$newGpoAttrValue"}

            }

        else{

            Write-Output "###########################################################" | Out-File $logFile -Append

            Write-Output "DN della GPO" | Out-File $logFile -Append

            Write-Output $gpoAttrValue.DistinguishedName | Out-File $logFile -Append

            Write-Output "GPO Distinguished name" | Out-File $logFile -Append

            Write-Output $gpoAttrValue.DisplayName| Out-File $logFile -Append

            Write-Output "Original GPO extensions" | Out-File $logFile -Append

            Write-Output $gpoAttrValue.gPCUserExtensionNames | Out-File $logFile -Append

            Write-Output "New GPO extensions" | Out-File $logFile -Append

        }    


    Saturday, January 21, 2017 5:42 PM
  • > $gpoAttrValue= $gpo | Get-ADObject -Properties gPCUserExtensionNames,distinguishedName,displayName
     
    Suggestion: Add some code to cleanup the Sysvol folder...
    Get the gPCFileSysPath attribute, check for .\User\IEAK. If present, delete.
     
    >     #Set-ADObject -Identity $gpoAttrValue.DistinguishedName -Replace @{gPCUserExtensionNames="$newGpoAttValue"}
     
    If you convert your code to an advanced function, you can use -WhatIf
     
     
    Monday, January 23, 2017 9:04 AM
  • Thank you Martin,

    As usual, you give good suggestions. Here is he scripts with few line to delete the content of IEAK folders. I was wondering if the remove-item -path (PCFileSysPath value) works correctly, as sometimes I got errors deleting files from the sysvol share because of elevation privilege. But it seems it works.

     

    #Remove the deprecated IE Maintenance from all domain's GPOs
    #Author: Giacomin Enrico
    #Data ultima <g class="gr_ gr_20 gr-alert gr_spell ContextualSpelling ins-del multiReplace" data-gr-id="20" id="20">modifica</g> 23 Jan 2017
    #Version 1.1

    #Get all GPOs
    $gpos= Get-ADObject -Filter * -SearchBase "CN=Policies,CN=System,DC=domain,DC=loc" | ? {($_.distinguishedName -like "CN=*,CN=Policies,CN=System,DC=domain,DC=loc") -and ($_.objectClass -eq "groupPolicyContainer")}
    #File di log
    $logFile="c:\agg\log99.txt"
    #Strings
    $find="\[{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]"
    $replace=""

    #subtitution loop
    foreach($gpo in $gpos){
        #Get Object properties
        $gpoAttrValue= $gpo | Get-ADObject -Properties gPCUserExtensionNames,distinguishedName,displayName,gPCFileSysPath

        # Check IE GPO extention and replace it
        if ($gpoAttrValue.gPCUserExtensionNames -match $find){
                $actGpoAttrValue=$gpoAttrValue.gPCUserExtensionNames
                $newGpoAttrValue=$actGpoAttrValue -replace $find, $replace
                #Write a log file
                Write-Output "###########################################################" | Out-File $logFile -Append
                Write-Output "DN della GPO" | Out-File $logFile -Append
                Write-Output $gpoAttrValue.DistinguishedName | Out-File $logFile -Append
                Write-Output "Nome della GPO" | Out-File $logFile -Append
                Write-Output $gpoAttrValue.DisplayName| Out-File $logFile -Append
                Write-Output "Estensioni presenti prima della sostituzione" | Out-File $logFile -Append
                Write-Output "$actGpoAttrValue" | Out-File $logFile -Append
                Write-Output "Estensioni presenti dopo la sostituzione" | Out-File $logFile -Append
                Write-Output "$newGpoAttrValue" | Out-File $logFile -Append
                #Replacing attribute value (Still commented - Remove # if you are sure it's working
                get-ADObject $gpoAttrValue.DistinguishedName -Properties * | Set-ADObject -clear gPCUserExtensionNames
                get-ADObject $gpoAttrValue.DistinguishedName -Properties * | Set-ADObject -add @{gPCUserExtensionNames="$newGpoAttrValue"}
              #Delete IEAK from the sysvol folder
                $IEAKPath=$gpoAttrValue.gPCFileSysPath+"\IEAK\"
                if (Test-Path $IEAKPath){
                    Remove-Item ("$IEAKPath"+"*\") -recurse
                }
        else{
            #Write a log file
            Write-Output "###########################################################" | Out-File $logFile -Append
            Write-Output "DN della GPO" | Out-File $logFile -Append
            Write-Output $gpoAttrValue.DistinguishedName | Out-File $logFile -Append
            Write-Output "Nome della GPO" | Out-File $logFile -Append
            Write-Output $gpoAttrValue.DisplayName| Out-File $logFile -Append
            Write-Output "Estensioni presenti prima della sostituzione" | Out-File $logFile -Append
            Write-Output $gpoAttrValue.gPCUserExtensionNames | Out-File $logFile -Append
            Write-Output "Attributo non modificato" | Out-File $logFile -Append
        }    
    }




    Monday, January 23, 2017 11:28 AM
  • > As usual, you give good suggestions.
     
    One more to give away for free :-)
     
    Bells and whistles if you increase the GPO user version by 1, so clients will pick up that IEM was removed.
    This requires updating the version attribute of the GPO as well as the version entry in the gpt.ini.
     
    (Or - maybe easier - creating a dummy GPP registry value and immediately deleting it. This would increase the version by 4, AFAIK.)
     
    Monday, January 23, 2017 2:08 PM