This is what I use to check for empty GPOs. It checks the XML report for empty
user configuration and computer configuration sections, and dumps the name and
last modified timestamp of the empty GPOs to an output file. Darren had posted
a while back on his GPTalk list that checking for empty user and computer
configuration settings isn't 100% accurate, but I haven't had a chance to
follow up and see what the edge cases are. Regardless, I end up checking the
GPOs that get flagged as empty before I delete them just to be sure.
#System Requirements:
# SDM Group Policy cmdlets
# Group Policy Management Console (GPMC.msc)
# Powershell v2
#---------------------------------------------------------------
#---------------------------------------------------------------
#requires -version 2
$gpm = new-object -comObject gpmGMT.gpm
$constants = $gpm.getConstants()
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$gpmDomain = $gpm.GetDomain($domain.name,$null,$constants.useanydc)
$folderPath = get-location
$xmlReport = $folderPath.path + "\tempGPOReport.xml"
$reportFile = "EmptyGPOs.txt"
$tempLine = "GPO Name;OU Link Count;Linked OUs;Last Modified Date"
add-content -path $reportFile -value $tempLine -encoding ASCII
$allGPOs = get-SDMgpo -name *
foreach ($tempGPO in $allGPOs) {
$gpmGPO = $gpmDomain.GetGPO($tempGPO.ID)
$gpmGPO.GenerateReportToFile($constants.ReportXML,$xmlReport)
$myXMLFile = [xml](Get-Content $xmlReport)
$computerNodeProperties = $myXMLFile.GPO.Computer | gm
$computerConfigured = $false
foreach ($member in $computerNodeProperties) {
if (($member.MemberType -eq "Property") -and ($member.name -eq
"ExtensionData")) {
$computerConfigured = $true
}
}
$userNodeProperties = $myXMLFile.GPO.User | gm
$userConfigured = $false
foreach ($member in $userNodeProperties) {
if (($member.MemberType -eq "Property") -and ($member.name -eq
"ExtensionData")) {
$userConfigured = $true
}
}
if ($computerConfigured -or $userConfigured) {
#write-host "This is not an empty GPO"
} else {
write-host " EMPTY GPO: " + $tempGPO.name
$tempLine = $tempGPO.name + ";EMPTY;;" + $tempGPO.modificationtime
add-content -path $reportFile -value $tempLine -encoding ASCII
}
}
From: Free, Bob [mailto:[email protected]]
Sent: Friday, November 16, 2012 2:24 PM
To: NT System Admin Issues
Subject: RE: GPO Hell (Unlinked/Empty GPOs)
Web-
There are canned scripts for unlinked, orphaned, disabled and empty sec filter
but not empty settings as I recall.
Low-tech way if in a hurry would be run the GetReportsForAllGPOs.wsf and look
at the xml, the really small files would likely be empty. Very low tech but it
would show you where to look.
I'll have a peek at Darren's posh module but I don't think it does it either.
--bob
From: Webster [mailto:[email protected]]
Sent: Friday, November 16, 2012 1:15 PM
To: NT System Admin Issues
Subject: RE: GPO Hell (Unlinked/Empty GPOs)
Bob,
I thought one of the scripts also did empty GPOs?
Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com<http://www.carlwebster.com/>
From: Free, Bob [mailto:[email protected]]
Sent: Friday, November 16, 2012 3:01 PM
To: NT System Admin Issues
Subject: RE: GPO Hell (Unlinked/Empty GPOs)
FindUnlinkedGPOs.wsf in the GPMC scripts should solve the first issue. Have to
think about the second one a bit more :)
From: Guyer, Don [mailto:[email protected]]
Sent: Friday, November 16, 2012 12:38 PM
To: NT System Admin Issues
Subject: GPO Hell (Unlinked/Empty GPOs)
Greetings,
We have over 800 GPOs, org-wide, and I'm in cleanup mode. Have
been trying to find a script/utility to run that will list out unlinked GPOs
and/or ones with no settings. Haven't had much luck.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
________________________________
PG&E is committed to protecting our customers' privacy.
To learn more, please visit http://www.pge.com/about/company/privacy/customer/
________________________________
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
