programming4us
programming4us
DESKTOP

Windows Server 2008 and Windows Vista : GPMC Scripts - Finding GPOs Based on Parameters

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
11/13/2013 8:33:39 PM

Sometimes you know what you are looking for, but you are not certain which GPOs contain the information. These scripts allow you find GPOs based on general criteria.

1. FindDisabledGPOs.wsf

This script lists GPOs for which all or part of the GPO is disabled, including the computer settings, the user settings, or the entire GPO.

Syntax
Usage: finddisabledgpos.wsf

Example & Output

This script lists all GPOs that are disabled.

cscript finddisabledgpos.wsf
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

== GPOs that are completely disabled ==
{1EED9871-27D9-4741-91AF-13821272BDDA} - Hardened Server GPO
== GPOs with the computer settings disabled ==
== GPOs with the user settings disabled ==

2. FindDuplicateNamedGPOs.wsf

This script finds GPOs with duplicate names. Neither Microsoft Windows Server 2003 nor Windows Server 2008 permits duplicate names.

Syntax
Usage: FindDuplicateNamedGPOs.wsf

Example & Output

This script finds all duplicated GPO names.

cscript FindDuplicateNamedGPOs.wsf
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Looking for GPOs with duplicate names in Fabrikam.com
No duplicate named GPOs found.

3. FindGPOsByPolicyExtension.wsf

This script searches for all GPOs in the specified domain that have defined settings for the specified policy extension. The policy extension can be either the friendly name or the GUID for the client-side extension (CSE).

Syntax
Usage: FindGPOsByPolicyExtension.wsf ExtensionID [/PrintCSEList] [/Domain:value]
ExtensionID: GUID or friendly name of the client-side extension (CSE) for which to query.
PrintCSEList: Prints the list of available CSEs.
Domain: DNS name of domain.


Example & Output

This script lists the name and GUID for all configured CSEs in the GPOs within the domain.

cscript FindGPOsByPolicyExtension.wsf /PrintCSEList
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

The following client side extensions are registered locally:
{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} - Wireless Group Policy
{25537BA6-77A8-11D2-9B6C-0000F8080861} - Folder Redirection
{35378EAC-683F-11D2-A89A-00C04FBBCFA2} - Registry
{3610eda5-77ef-11d2-8dc5-00c04fa31a66} - Microsoft Disk Quota
{426031c0-0b47-4852-b0ca-ac3d37bfcb39} - QoS Packet Scheduler
{42B5FAAE-6536-11d2-AE5A-0000F87571E3} - Scripts
{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} - Internet Explorer Zonemapping
{7933F41E-56F8-41d6-A31C-4148A711EE93} - Windows Search Group Policy Extension
{827D319E-6EAC-11D2-A4EA-00C04F79F83A} - Security
{8A28E2C5-8D06-49A4-A08C-632DAA493E17} - Deployed Printer Connections
{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} - Internet Explorer Branding
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} - EFS recovery
{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} - 802.3 Group Policy
{C631DF4C-088F-4156-B058-4375F0853CD8} - Microsoft Offline Files
{c6dc5466-785a-11d2-84d0-00c04fb169f7} - Software Installation
{e437bc1c-aa7d-11d2-a382-00c04f991e27} - Internet Protocol Security Policies
{FB2CA36D-0B40-4307-821B-A13B252DE56C} - Policy-based QoS


4. FindGPOsBySecurityGroup.wsf

This script prints a list of all GPOs on which a given security group has the permission you specify in the command line. If you want to find just the list of GPOs that have a specified permission for that security group, you can input the permission level “Read,” “Apply,” “Edit,” “Full Edit,” or “None.”

Syntax
Usage: FindGPOsBySecurityGroup.wsf GroupName /Permission:value [/Effective] [/None]
[/Domain:value]
GroupName: Security principal on which to search.
Permission: Permission level to find. Can be "Read," "Apply," "Edit," "FullEdit," or "None."
Effective: Displays effective permissions, taking group membership into account.
None: Displays the GPOs for which the security principal does not have the specified permission
level.
Domain: DNS name of domain.


Example & Output

This script lists all GPOs that have the Server Operators security group listed with the Edit permission on any GPO in the domain.

cscript FindGPOsBySecurityGroup.wsf "Server Operators" /Permission:Edit /effective
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Searching for all GPOs with effective Edit permissions for Server Operators
== 2 GPOs found ==
Hardened Server GPO
{00713EC8-BFE8-435F-93A4-E287A067EBA9}
Server GPO
{28EC2415-CF96-46AE-9301-CA60011D5F19}


5. FindGPOsWithNoSecurityFiltering.wsf

This script lists all of the GPOs that are not configured to apply to objects. This is determined based on whether the Apply Group Policy permission is set. This is useful for finding GPOs that might have been created for testing but are were designed to be functional in the production domain after the test was completed.

Syntax
Usage: FindGPOsWithNoSecurityFiltering.wsf

Example & Output

This script lists all GPOs that do not affect any object, as a result of omission of the Apply Group Policy permission.

cscript FindGPOsWithNoSecurityFiltering.wsf
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

GPOs in Fabrikam.com that are missing 'Apply' rights:
{D0A29BFC-1109-4449-A138-B1533DD86EE3} – TestServer

6. FindOrphanedGPOsInSysvol.wsf

Finds and prints all GPOs in SYSVOL with no corresponding Active Directory portion of the GPO. Although this is not a common issue, if the Active Directory portion of the GPO is deleted in some manner, the GPO will fail to process and be functional.

Syntax
Usage: FindOrphanedGPOsinSysvol.wsf /Domain:value
Domain: DNS name of domain.

Example

This script lists all GPOs that are missing the GPC portion of the GPO.

cscript FindOrphanedGPOsinSysvol.wsf /Domain:fabrikam.com

7. FindSOMsWithExternalGPOLinks.wsf

This script searches for SOMs with links to GPOs that exist in different domains. This will most commonly appear for sites, which can have links to GPOs from other domains.

Syntax
Usage: FindSOMsWithExternalGPOLinks.wsf

8. FindUnlinkedGPOs.wsf

This script finds any GPOs that are not linked to the domain or OU within Active Directory. Site links and links to other domain nodes are not included in the results.

Syntax
Usage: FindUnlinkedGPOs.wsf

Example & Output

This script list all GPOs that exist in the domain but are not linked to any nodes within Active Directory.

cscript FindUnlinkedGPOs.wsf
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

== GPOs that are not linked anywhere in Fabrikam.com ==
NOTE: links to sites, as well as external domains, will not be checked.
{8771E61D-7E96-4887-926B-10CAD1FEFBF1} - Test Group Policy Object
Other  
  •  Windows Server 2008 and Windows Vista : GPMC Scripts - GPO Reporting (part 2)
  •  Windows Server 2008 and Windows Vista : GPMC Scripts - GPO Reporting (part 1)
  •  Windows Server 2008 and Windows Vista : GPMC Scripts - Copying and Importing GPOs
  •  Windows Server 2008 and Windows Vista : Copying and Importing GPOs
  •  Windows Server 2008 and Windows Vista : Backing Up and Restoring GPOs (part 2)
  •  Windows Server 2008 and Windows Vista : Backing Up and Restoring GPOs (part 1)
  •  Windows Small Business Server 2011 : Creating Custom Alerts - Creating an Alert for a Stopped Service, Custom Alert for Backup Failure
  •  Windows Small Business Server 2011 : Configuring Alerts - Alerts for Services, Performance Counter Alert, Event Log Error Alerts
  •  Windows Small Business Server 2011 : Network Reports (part 2) - Customizing the Detailed Network Report
  •  Windows Small Business Server 2011 : Network Reports (part 1) - Customizing the Summary Report
  •  
    programming4us
     
     
    programming4us