List empty GPOs, advanced mode
(Automate trad)
In a previous post,we saw how list empty GPOs using GroupPolicy GPOReport module and then we briefly mentioned a second method to do so. We will now focus on this second method
Why try another method ?
The generation of a GPO report uses a lot of system resources and takes a considerable time in its use is not really an option if we list a number GPO , knowing that usually the corollary to ” many GPO ” is “A lot of shared resources .”
Inspect the object ActiveDirectory
The AD object storing a GPO groupPolicyContainer is the type we will look at its various members.
PS>get-adobject (Get-ADObject -Filter 'ObjectClass -eq "groupPolicyContainer"' -SearchBase 'CN=Policies,CN=System,DC=fabrikam,dc=com')[0].distinguishedName -properties * | get-member -membertype property
Here come the list :
- CanonicalName
- CN
- Created
- createTimeStamp
- Deleted
- Description
- DisplayName
- DistinguishedName
- dSCorePropagationData
- flags
- gPCFileSysPath
- gPCFunctionalityVersion
- gPCMachineExtensionNames
- gPCUserExtensionNames
- instanceType
- isCriticalSystemObject
- isDeleted
- LastKnownParent
- Modified
- modifyTimeStamp
- Name
- nTSecurityDescriptor
- ObjectCategory
- ObjectClass
- ObjectGUID
- ProtectedFromAccidentalDeletion
- sDRightsEffective
- showInAdvancedViewOnly
- systemFlags
- uSNChanged
- uSNCreated
- versionNumber
- whenChanged
- whenCreated
The members flag and gPCFileSysPath may interest us. Flag allows us to know if one or more of the GPO were disabled _ we do not have to use it in our _ and gPCFileSysPath case contains the data access of the GPO on the sysvol path .
GPO Storage
Look what’s in the directory stored by gPCFileSysPath :
PS> gci $gpo.gPCFileSysPath Directory: \\fabrikam.com\sysvol\fabrikam.com\Policies\{12345678-9ABC-EF01-234-56789ABCDEF0} Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 06/06/2011 11:54 Adm d---- 06/06/2011 12:39 MACHINE d---- 06/06/2011 12:39 USER -a--- 04/04/2013 13:31 28 gpt.ini
Both directories contain MACHINE and USER respectively Computer and User GPO settings and as we suspect GPO is empty when both directories are empty
To check the contents of a directory, we Castthe result of Get-CHildItem as a boolean or we use Test-Path.To determine the fastest method we will make a series of measures on cmdlets with full and empty GPO GPO.
PS> measure-command {test-path "$($gpo.gPCFileSysPath)\User\*"} Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 65 Ticks : 655303 TotalDays : 7,58452546296296E-07 TotalHours : 1,82028611111111E-05 TotalMinutes : 0,00109217166666667 TotalSeconds : 0,0655303 TotalMilliseconds : 65,5303 PS> measure-command {[bool](gci "$($gpo.gPCFileSysPath)\User") } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 44 Ticks : 443332 TotalDays : 5,13115740740741E-07 TotalHours : 1,23147777777778E-05 TotalMinutes : 0,000738886666666667 TotalSeconds : 0,0443332 TotalMilliseconds : 44,3332 PS> measure-Command {test-path "$($gpo.gPCFileSysPath)\User"} Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 21 Ticks : 210956 TotalDays : 2,44162037037037E-07 TotalHours : 5,85988888888889E-06 TotalMinutes : 0,000351593333333333 TotalSeconds : 0,0210956 TotalMilliseconds : 21,0956 PS> measure-Command {[bool](gci "$($gpo.gPCFileSysPath)\User") } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 35 Ticks : 356400 TotalDays : 4,125E-07 TotalHours : 9,9E-06 TotalMinutes : 0,000594 TotalSeconds : 0,03564 TotalMilliseconds : 35,64
In this sequence , the use of gci is faster for full gpo while test -path is faster empty gpo … Optimists , we consider that we shall meet GPO full as empty , so we use gci .
We can determine that a GPO is empty if the two component User and Machine are empty , so we use the following condition:
where-object { [bool]( gci "$($_.gPCFileSysPath)\User") -eq $false -and [bool](gci "$($_.gPCFileSysPath)\Machine") -eq $false }
put it all together
Here is the proposed ” oneliner ”
Leave a Reply