Sometimes you know what you are looking
for, but you are not certain which GPOs contain the information. These
scripts allow you find GPOs based on general criteria.
1. FindDisabledGPOs.wsf
This
script lists GPOs for which all or part of the GPO is disabled,
including the computer settings, the user settings, or the entire GPO.
Syntax
Usage: finddisabledgpos.wsf
Example & Output
This script lists all GPOs that are disabled.
cscript finddisabledgpos.wsf
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
== GPOs that are completely disabled ==
{1EED9871-27D9-4741-91AF-13821272BDDA} - Hardened Server GPO
== GPOs with the computer settings disabled ==
== GPOs with the user settings disabled ==
2. FindDuplicateNamedGPOs.wsf
This
script finds GPOs with duplicate names. Neither Microsoft Windows
Server 2003 nor Windows Server 2008 permits duplicate names.
Syntax
Usage: FindDuplicateNamedGPOs.wsf
Example & Output
This script finds all duplicated GPO names.
cscript FindDuplicateNamedGPOs.wsf
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Looking for GPOs with duplicate names in Fabrikam.com
No duplicate named GPOs found.
3. FindGPOsByPolicyExtension.wsf
This
script searches for all GPOs in the specified domain that have defined
settings for the specified policy extension. The policy extension can
be either the friendly name or the GUID for the client-side extension
(CSE).
Syntax
Usage: FindGPOsByPolicyExtension.wsf ExtensionID [/PrintCSEList] [/Domain:value]
ExtensionID: GUID or friendly name of the client-side extension (CSE) for which to query.
PrintCSEList: Prints the list of available CSEs.
Domain: DNS name of domain.
Example & Output
This script lists the name and GUID for all configured CSEs in the GPOs within the domain.
cscript FindGPOsByPolicyExtension.wsf /PrintCSEList
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
The following client side extensions are registered locally:
{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} - Wireless Group Policy
{25537BA6-77A8-11D2-9B6C-0000F8080861} - Folder Redirection
{35378EAC-683F-11D2-A89A-00C04FBBCFA2} - Registry
{3610eda5-77ef-11d2-8dc5-00c04fa31a66} - Microsoft Disk Quota
{426031c0-0b47-4852-b0ca-ac3d37bfcb39} - QoS Packet Scheduler
{42B5FAAE-6536-11d2-AE5A-0000F87571E3} - Scripts
{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} - Internet Explorer Zonemapping
{7933F41E-56F8-41d6-A31C-4148A711EE93} - Windows Search Group Policy Extension
{827D319E-6EAC-11D2-A4EA-00C04F79F83A} - Security
{8A28E2C5-8D06-49A4-A08C-632DAA493E17} - Deployed Printer Connections
{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} - Internet Explorer Branding
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} - EFS recovery
{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} - 802.3 Group Policy
{C631DF4C-088F-4156-B058-4375F0853CD8} - Microsoft Offline Files
{c6dc5466-785a-11d2-84d0-00c04fb169f7} - Software Installation
{e437bc1c-aa7d-11d2-a382-00c04f991e27} - Internet Protocol Security Policies
{FB2CA36D-0B40-4307-821B-A13B252DE56C} - Policy-based QoS
4. FindGPOsBySecurityGroup.wsf
This
script prints a list of all GPOs on which a given security group has
the permission you specify in the command line. If you want to find
just the list of GPOs that have a specified permission for that
security group, you can input the permission level “Read,” “Apply,”
“Edit,” “Full Edit,” or “None.”
Syntax
Usage: FindGPOsBySecurityGroup.wsf GroupName /Permission:value [/Effective] [/None]
[/Domain:value]
GroupName: Security principal on which to search.
Permission: Permission level to find. Can be "Read," "Apply," "Edit," "FullEdit," or "None."
Effective: Displays effective permissions, taking group membership into account.
None: Displays the GPOs for which the security principal does not have the specified permission
level.
Domain: DNS name of domain.
Example & Output
This
script lists all GPOs that have the Server Operators security group
listed with the Edit permission on any GPO in the domain.
cscript FindGPOsBySecurityGroup.wsf "Server Operators" /Permission:Edit /effective
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Searching for all GPOs with effective Edit permissions for Server Operators
== 2 GPOs found ==
Hardened Server GPO
{00713EC8-BFE8-435F-93A4-E287A067EBA9}
Server GPO
{28EC2415-CF96-46AE-9301-CA60011D5F19}
5. FindGPOsWithNoSecurityFiltering.wsf
This
script lists all of the GPOs that are not configured to apply to
objects. This is determined based on whether the Apply Group Policy
permission is set. This is useful for finding GPOs that might have been
created for testing but are were designed to be functional in the
production domain after the test was completed.
Syntax
Usage: FindGPOsWithNoSecurityFiltering.wsf
Example & Output
This script lists all GPOs that do not affect any object, as a result of omission of the Apply Group Policy permission.
cscript FindGPOsWithNoSecurityFiltering.wsf
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
GPOs in Fabrikam.com that are missing 'Apply' rights:
{D0A29BFC-1109-4449-A138-B1533DD86EE3} – TestServer
6. FindOrphanedGPOsInSysvol.wsf
Finds
and prints all GPOs in SYSVOL with no corresponding Active Directory
portion of the GPO. Although this is not a common issue, if the Active
Directory portion of the GPO is deleted in some manner, the GPO will
fail to process and be functional.
Syntax
Usage: FindOrphanedGPOsinSysvol.wsf /Domain:value
Domain: DNS name of domain.
Example
This script lists all GPOs that are missing the GPC portion of the GPO.
cscript FindOrphanedGPOsinSysvol.wsf /Domain:fabrikam.com
7. FindSOMsWithExternalGPOLinks.wsf
This
script searches for SOMs with links to GPOs that exist in different
domains. This will most commonly appear for sites, which can have links
to GPOs from other domains.
Syntax
Usage: FindSOMsWithExternalGPOLinks.wsf
8. FindUnlinkedGPOs.wsf
This
script finds any GPOs that are not linked to the domain or OU within
Active Directory. Site links and links to other domain nodes are not
included in the results.
Syntax
Usage: FindUnlinkedGPOs.wsf
Example & Output
This script list all GPOs that exist in the domain but are not linked to any nodes within Active Directory.
cscript FindUnlinkedGPOs.wsf
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
== GPOs that are not linked anywhere in Fabrikam.com ==
NOTE: links to sites, as well as external domains, will not be checked.
{8771E61D-7E96-4887-926B-10CAD1FEFBF1} - Test Group Policy Object
