Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

«
»

(2006-11-15) Finding Unused GPOs

Posted by Jorge on 2006-11-15


In time you may have gone crazy and created and used a lot of GPOs. Some may be disabled, not be linked, be orphaned in the SYSVOL or not have any setting configured. So how can you check which GPO does meets the criteria mentioned above without going into some GUI and check each and every GPO?

The answer is easy! GPMC is your friend! 😉

To find disabled GPOs in the AD domain (FindDisabledGPOs.wsf)

  • This will output all GPOs in the AD domain that are completely disabled, only computer is disabled or only user part is disabled
    • cscript FindDisabledGPOs.wsf /domain:<FQDN AD domain>

To find unlinked GPOs in the AD domain (FindUnlinkedGPOs.wsf)

  • This will output all GPOs in the AD domain that are not linked to any OU within the AD domain or the AD domain itself. It will not check sites or other AD domains in the forest.
    • cscript FindUnlinkedGPOs.wsf /domain:<FQDN AD domain>

To find unlinked GPOs in the AD domain (FindOrphanedGPOsInSYSVOL.wsf)

  • This will output all GPOs that exist in the SYSVOL but not in the AD domain anymore.
    • cscript FindOrphanedGPOsInSYSVOL.wsf /domain:<FQDN AD domain>

To find GPOs with NO settings defined in both the computer part and user part (GetReportsForAllGPOs.wsf)

  • This will create a report for EACH GPO in the AD domain (HTML and XML files).
    • cscript GetReportsForAllGPOs.wsf <location for reports> /domain:<FQDN AD domain>
  • The following wil check each HTML file for the string "No Settings Defined" and when found it will output the name of the GPO into the TXT file. Put the script in the same location as the GPO reports. Each GPO that lists "No Settings Defined" TWICE has no GPO settings configured.
    • GPOsWithSettingsOrNot.CMD (see contents of script below)
      • @ECHO OFF
      • CLS
      • IF EXIST "GPOsWithSettingsOrNot.txt" (DEL GPOsWithSettingsOrNot.txt)
      • FOR /F "tokens=*" %%A IN (‘DIR /B "*.HTML"’) DO (
      • FIND /i "No settings defined" "%%A" >> GPOsWithSettingsOrNot.txt
      • )
      • NOTEPAD GPOsWithSettingsOrNot.txt

The output of "GPOsWithSettingsOrNot.txt" looks like (red colored GPOs have no GPO Settings defined in both computer and user part):

———- CLIENTS POLICY.HTML

———- CUSTOM DOMAIN CONTROLLERS POLICY.HTML

———- DEFAULT DOMAIN CONTROLLERS POLICY.HTML
<div class="container"><div class="he4i">No settings defined.</div></div>

———- DEFAULT DOMAIN POLICY.HTML

———- DEFRAG SETTINGS.HTML
<div class="container"><div class="he4i">No settings defined.</div></div>

———- MEMBER SERVERS POLICY.HTML

———- NEW GROUP POLICY OBJECT.HTML
<div class="container"><div class="he4i">No settings defined.</div></div>
<div class="container"><div class="he4i">No settings defined.</div></div>

———- TEST.HTML
<div class="container"><div class="he4i">No settings defined.</div></div>
<div class="container"><div class="he4i">No settings defined.</div></div>

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

This entry was posted on 2006-11-15 at 03:17 and is filed under Active Directory Domain Services (ADDS), Batch Script, VB Script. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»