I created a small function called Get-ADGPOReplication to easily compare the versions of each Group Policy Objects (User and Computer Configurations) on each Domain Controllers in the Domain.
 |
| Get-ADGPOReplication sent to Out-Gridview |
Showing posts with label Group Policy. Show all posts
Showing posts with label Group Policy. Show all posts
2014/10/01
PowerShell - Check the GPO Replication accross your domain
I created a small function called Get-ADGPOReplication to easily compare the versions of each Group Policy Objects (User and Computer Configurations) on each Domain Controllers in the Domain.
2012/05/11
Group Policy Health PowerShell Cmdlet Updated
SDM Software just updated their Group Policy Health Powershell Cmdlet to version 1.2
Once Download and Install, all you need to do is:
Import-Module SDM-GPHealth
Here is the only cmdlet available for this module Get-SDMGPHealth, this is the full help.
Once Download and Install, all you need to do is:
Import-Module SDM-GPHealth
Here is the only cmdlet available for this module Get-SDMGPHealth, this is the full help.
NAME
Get-SDMGPHealth
SYNOPSIS
Retrieves Group Policy Processing Health on local or remote Windows systems.
SYNTAX
Get-SDMGPHealth [-ComputerName] [-Credentials ] [-OutputbyXml] [-NoComputer] [-NoUser] [-NoG
PO] [-NoCSE] []
Get-SDMGPHealth [-OU] [-Credentials ] [-OutputbyXml] [-NoComputer] [-NoUser] [-NoGPO] [-NoCS
E] []
Get-SDMGPHealth [-DomainName] [-Credentials ] [-OutputbyXml] [-NoComputer] [-NoUser] [-NoGPO
] [-NoCSE] []
DESCRIPTION
This cmdlet leverages in-depth knowledge of Group Policy processing to return overall health as well as detailed in
formation on three main areas of Group Policy processing. The first is general information, which provides informat
ion such as host OS version, whether loopback was detected, fast logon optimization, etc. The second area is a list
of GPOs currently processed by computer and user. The third is a list of CSEs run by computer and user, and what G
POs ran for each CSE. An OverallStatus property is also returned which provides a quick "red or green" status of GP
processing on the target system, based on whether either Core or CSE processing failed for the client
PARAMETERS
-ComputerName
This parameter is used for targeting a single system and expects the hostname of the machine in question.
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-Credentials
This parameter is expecting a PSCredential object containing a username and password that will be used when mak
ing a connection to the target(s). You can create such an object by call get-credential and assigning it to a v
ariable, then passing that variable into this parameter. Note that this cmdlet requires the ability to remotely
query a system via WMI. As such, any credentials passed must have this ability.
Required? false
Position? named
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-OutputbyXml
If this optional parameter is used, the results of the GPHealth call will be logged to an XMLDocument object. T
his object contains the more detail than the default output format, and should be used to if more detail is req
uired or you need a structured data model to import into a database.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NoComputer
Use this optional parameter if you want to exclude per-computer status from the health report.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NoUser
Use this optional parameter if you want to exclude per-user status from the health report.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NoGPO
Use this optional parameter if you want to exclude GPO status from the health report. No GPO details will be pr
ovided in this case.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NoCSE
Use this optional parameter if you want to exclude CSE status from the health report. No CSE details will be pr
ovided in this case.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-OU
This parameter would be used in place of -ComputerName. If you specify this parameter and supply the DN of an O
U in AD domain, then that OU is searched for all computer objects and those computer objects are used as target
s for the health cmdlet. The cmdlet runs against each computer in turn and outputs the results to the console.
For example, -OU "OU=Marketing,DC=cpandl,DC=com"
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
-DomainName
This parameter would be used in place of -ComputerName or -OU. If you specify this parameter and supply the DN
of an AD domain, then that entired domain is searched for all computer objects and those computer objects are u
sed as targets for the health cmdlet. The cmdlet runs against each computer in turn and outputs the results to
the console. For example, -DomainName "DC=cpandl,DC=com"
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? false
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".
INPUTS
System.String
OUTPUTS
Sdmsoftware.SDMGPHealthResult, System.XML
NOTES
-------------- Example 1 --------------
C:\PS>get-SDMGPHealth -ComputerName xp3
Returns GP Health information for a host named XP3
OverallStatus : red
TimeLogged : 6/18/2008 1:34:09 AM
HostName : xp3
Domain : cpandl.com
OSVersion : Microsoft Windows XP Professional, Service Pack 2
ComputerCoreStatus : The operation completed successfully
UserCoreStatus : The operation completed successfully
FastLogonEnabled : False
ComputerSlowLinkDetected : False
Loopback : None
DCUsed : \\sdm2.cpandl.com
ComputerElapsedTime : 00:00:04
CurrentLoggedOnUser : CPANDL\test
UserSlowLinkDetected : False
UserElapsedTime : 00:00:01
ComputerGPOsProcessed : {Local Group Policy, Default Domain Policy, Scripts TEst, Windows Update Test...}
UserGPOsProcessed : {Local Group Policy, Default Domain Policy, Scripts TEst, Windows Update Test...}
ComputerCSEsProcessed : {Registry, Scripts, Internet Explorer Zonemapping, Security...}
UserCSEsProcessed : {Folder Redirection, Registry, Scripts, Internet Explorer Zonemapping...}
-------------- Example 2 --------------
C:\PS>get-SDMGPHealth -ComputerName XP3 -NoCSE
Returns GP Health information for a host named XP3 without Client Side Extension (CSE) information
OverallStatus : green
TimeLogged : 6/18/2008 1:36:58 AM
HostName : xp3
Domain : cpandl.com
OSVersion : Microsoft Windows XP Professional, Service Pack 2
ComputerCoreStatus : The operation completed successfully
UserCoreStatus : The operation completed successfully
FastLogonEnabled : False
ComputerSlowLinkDetected : False
Loopback : None
DCUsed : \\sdm2.cpandl.com
ComputerElapsedTime : 00:00:04
CurrentLoggedOnUser : CPANDL\test
UserSlowLinkDetected : False
UserElapsedTime : 00:00:01
ComputerGPOsProcessed : {Local Group Policy, Default Domain Policy, Scripts TEst, Windows Update Test...}
UserGPOsProcessed : {Local Group Policy, Default Domain Policy, Scripts TEst, Windows Update Test...}
ComputerCSEsProcessed :
UserCSEsProcessed :
-------------- Example 3 --------------
C:\PS>(Import-Csv hosts.csv | Get-SDMGPHealth | ft HostName, OverallStatus) 2>errors.txt
This example leverages the import-csv cmdlet to pass a list of hostnames to the GP Health cmdlet. Then, the output
is piped into a format-table cmdlet that only returns the hostname and overall status. If any hosts return an error
, the error is redirected to a file called errors.txt
HostName OverallStatus
-------- -------------
xp3 red
sdm1 red
sdm2 green
xp2 green
member100 green
-------------- Example 4 --------------
C:\PS>$creds= Get-Credential ; Get-SDMGPHealth -ComputerName child1 -Credentials $creds
These two commands first assign the call to get-Credential to a variable called $creds, and then then use that to p
ass alternate credentials to the Health cmdlet using the -Credentials parameter
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
OverallStatus : green
TimeLogged : 6/18/2008 2:12:50 AM
HostName : child1
Domain : west.cpandl.com
OSVersion : Microsoft(R) Windows(R) Server 2003, Standard Edition, Service Pack 1
ComputerCoreStatus : The operation completed successfully
UserCoreStatus : The operation completed successfully
FastLogonEnabled : False
ComputerSlowLinkDetected : False
Loopback : None
DCUsed : \\child1.west.cpandl.com
ComputerElapsedTime : 00:00:00
CurrentLoggedOnUser :
UserSlowLinkDetected : False
UserElapsedTime : 00:00:00
ComputerGPOsProcessed : {Local Group Policy, Default Domain Policy, Default Domain Controllers Policy}
UserGPOsProcessed : {}
ComputerCSEsProcessed : {Registry, Security, EFS recovery}
UserCSEsProcessed : {}
-------------- Example 5 --------------
C:\PS>(Get-SDMGPHealth -ComputerName xp3 -OutputbyXml).Save(".\output.xml")
This example leverages the OutputbyXML parameter to dump the contents of the Health cmdlet to an XML file called ou
tput.xml. It uses the fact that the output type of the call to this cmdlet with this parameter is an XMLDocument ob
ject, which contains the Save() method to save the contents to an XML file.
RELATED LINKS
http://www.sdmsoftware.com/group_policy_scripting
2012/04/04
Using PowerShell as a Starting Point for Comparing GPOs
source
Video Transcript
Comparing two Group Policy Objects can be pretty tricky with the native tools. Here in the Group Policy Management console or GPMC I have created two different GPO’s, test 1 and test 2. Now if we open one up each of these only setting a couple of settings. You will find it under Computer Configuration/Polices/Windows Settings/Security Settings/Event Log. What I have done is set the Retain security log in this one to 75 days and the other test GPO to 7 days. Then both of them set the retention method for security log to By days.
Right here in the GPMC there is nothing I can really do to compare these two things. What I have done is hop on Google, I punched in compare GPO and I found this script that was written by Ed Wilson, the scripting guy at Microsoft. He has helpfully posted this in the repository and what I have done is take the scripts default parameters to reflect my environment. I provided the domain name, the name of the controller, my two GPO’s, and then the folder where I want the comparison information to be written.
You do not have to set that information, it is possible to provide all of those perimeters when you run the script. For example, we will hop down here. There is the name of the script. Now because I have set all of those perimeters to what I want them to be by default I do not need to specify the GPO names, or the domain name, or the server names, or any of that. But I do need to specify either -computer or -user, based on which side of the GPO, the computer settings or the user settings, I want to compare.
Running this, it is actually outputting both GPO’s test 2 and test 1 to an xml file and it is indicating that both of these GPO’s change the same settings. I see AuditLogRetentionPeriod and RetentionDays. Unfortunately because of the way this output is created I cannot really tell that it is the security audit log that was changed. I see both of them changed that setting, but I do not actually see what they changed it to just with that default output.
This is why some people will start looking at third party tools. If you hop into Google or your favorite search engine and type compare GPO tool, you will find plenty of different results. The key and one of the things I discuss in the article, Native Methods for Comparing Group Policy Objects, that accompanies this video is in deciding exactly what you are going to do with that comparison, because different tools provide you with that information in different ways. For example, if you just need a quick check of what settings two GPO’s do, well then this little script can do that for you. If you need to dive deeper and maybe get a color coded change management report that shows what values are different from GPO to GPO well, then you are going to have to either do more work with something like PowerShell or find some tools that implement that for you.
Subscribe to:
Posts (Atom)