Very nice Hunter. Worked like a champ in a dev forest I have that has a number of abandoned test Unix GPOs.
Thanks! From: Coleman, Hunter [mailto:[email protected]] Sent: Friday, November 16, 2012 2:05 PM To: NT System Admin Issues Subject: RE: GPO Hell (Unlinked/Empty GPOs) This is what I use to check for empty GPOs. It checks the XML report for empty user configuration and computer configuration sections, and dumps the name and last modified timestamp of the empty GPOs to an output file. Darren had posted a while back on his GPTalk list that checking for empty user and computer configuration settings isn't 100% accurate, but I haven't had a chance to follow up and see what the edge cases are. Regardless, I end up checking the GPOs that get flagged as empty before I delete them just to be sure. #System Requirements: # SDM Group Policy cmdlets # Group Policy Management Console (GPMC.msc) # Powershell v2 #--------------------------------------------------------------- #--------------------------------------------------------------- #requires -version 2 $gpm = new-object -comObject gpmGMT.gpm $constants = $gpm.getConstants() $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $gpmDomain = $gpm.GetDomain($domain.name,$null,$constants.useanydc) $folderPath = get-location $xmlReport = $folderPath.path + "\tempGPOReport.xml" $reportFile = "EmptyGPOs.txt" $tempLine = "GPO Name;OU Link Count;Linked OUs;Last Modified Date" add-content -path $reportFile -value $tempLine -encoding ASCII $allGPOs = get-SDMgpo -name * foreach ($tempGPO in $allGPOs) { $gpmGPO = $gpmDomain.GetGPO($tempGPO.ID) $gpmGPO.GenerateReportToFile($constants.ReportXML,$xmlReport) $myXMLFile = [xml](Get-Content $xmlReport) $computerNodeProperties = $myXMLFile.GPO.Computer | gm $computerConfigured = $false foreach ($member in $computerNodeProperties) { if (($member.MemberType -eq "Property") -and ($member.name -eq "ExtensionData")) { $computerConfigured = $true } } $userNodeProperties = $myXMLFile.GPO.User | gm $userConfigured = $false foreach ($member in $userNodeProperties) { if (($member.MemberType -eq "Property") -and ($member.name -eq "ExtensionData")) { $userConfigured = $true } } if ($computerConfigured -or $userConfigured) { #write-host "This is not an empty GPO" } else { write-host " EMPTY GPO: " + $tempGPO.name $tempLine = $tempGPO.name + ";EMPTY;;" + $tempGPO.modificationtime add-content -path $reportFile -value $tempLine -encoding ASCII } } From: Free, Bob [mailto:[email protected]] Sent: Friday, November 16, 2012 2:24 PM To: NT System Admin Issues Subject: RE: GPO Hell (Unlinked/Empty GPOs) Web- There are canned scripts for unlinked, orphaned, disabled and empty sec filter but not empty settings as I recall. Low-tech way if in a hurry would be run the GetReportsForAllGPOs.wsf and look at the xml, the really small files would likely be empty. Very low tech but it would show you where to look. I'll have a peek at Darren's posh module but I don't think it does it either. --bob From: Webster [mailto:[email protected]] Sent: Friday, November 16, 2012 1:15 PM To: NT System Admin Issues Subject: RE: GPO Hell (Unlinked/Empty GPOs) Bob, I thought one of the scripts also did empty GPOs? Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Free, Bob [mailto:[email protected]] Sent: Friday, November 16, 2012 3:01 PM To: NT System Admin Issues Subject: RE: GPO Hell (Unlinked/Empty GPOs) FindUnlinkedGPOs.wsf in the GPMC scripts should solve the first issue. Have to think about the second one a bit more :) From: Guyer, Don [mailto:[email protected]] Sent: Friday, November 16, 2012 12:38 PM To: NT System Admin Issues Subject: GPO Hell (Unlinked/Empty GPOs) Greetings, We have over 800 GPOs, org-wide, and I'm in cleanup mode. Have been trying to find a script/utility to run that will list out unlinked GPOs and/or ones with no settings. Haven't had much luck. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
