Active Directory Group Policy Health Check Items (Part 1)

by [Published on 2 Feb. 2017 / Last Updated on 2 Feb. 2017]

While you have might have designed an Active Directory Health Procedure that includes important Active Directory items to be checked and keep you informed of any failures or mis-configurations, but there are a few health check items that many Active Directory admins forget to include. For example, you might have included a PowerShell script in your Active Directory health procedure to check the replication status of Active Directory and provide you a report with replication status and you might have also included a script that checks to ensure SRV records for all domain controllers are registered successfully, but you might have forgot to include a few Group Policy health checks that we feel are important to perform in an Active Directory environment.

Tip: We explained as to why it is important to have SRV records for all domain controllers registered in the DNS Server. We also provided a PowerShell script that you can use to collect on the SRV records registered and missing SRV records for each domain controller.

We feel that there are a few more important directory checks that you should be performing to ensure you check every aspect of Active Directory to be able to run a smooth Active Directory environment and keep other applications happy that utilizes Active Directory for authentication and authorization purposes.

In a large production Active Directory environment where you have hundreds of Group Policy Objects, it becomes difficult to ensure GPOs are configured appropriately. When it comes to perform a health check for Group Policy Objects, there are at least eight important Group Policy checks that you should always perform as listed below:

• How many GPOs are configured with WMI Filters and are they configured properly?
• Have you taken backup of GPOs?
• How many GPOs are disabled and why are they disabled?
• How many GPOs are not applying?
• Is your GPO using a description text so GPOs can be identified easily?
• Are GPOs using the standard naming convention and are they configured with shorter names?
• Do you have Block Policy Inheritance configured and are they configured on the required GPOs?
• How many GPOs have No Override options set?

While you can run tiny PowerShell commands to collect required information from Active Directory and help you maintain the Production GPOs happy, but then you need to design PowerShell scripts to ensure output is reported in a CSV file of your choice and output should generate a report that only lists the required data. For example, when retrieving a list of GPOs that have WMI Filters configured, you would always want to return the output of only GPOs that have WMI Filters configured and not all. Similarly, when gathering the list of GPOs that have not been backed up, you would always want to see the list of GPOs that have not been backed up instead of GPOs that have been backed up recently.

We have worked on a few GPO PowerShell scripts that you might find useful and include in your daily Active Directory health check procedure. In the Part 1 of this article series, we will explain how to report on Group Policy Objects that do not have a description text set. In Part 2 and subsequent parts we will explain how to use several PowerShell scripts to retrieve the list of Group Policy Objects that have been configured in the domains, but are not applying to any objects, retrieving a list of GPOs that have WMI Filters configured and to ensure WMI Filters are configured properly and so on.


### Start Script ###


$TotNo=0
$ItemCount=0
$TestText = ""
$TestStatus=""
$SumVal = ""
ForEach ($ThisDomain in Get-Content "$GDomList")
{
$PDCServerToConnect = "Unknown"
IF ($HitWin2012DC -eq "Yes" -and $CredInputForPS -eq "File")
{
$PDCCSV = Import-CSV $PrefDCFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.'Preferred Domain Controller'
break
}
}

}
else
{
$PDCCSV = Import-CSV $PDCListFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.PDCServer
break
}
}
}

$Error.Clear()
$AllGPODes = Invoke-Command -ComputerName $PDCServerToConnect -Script { param($R1Now) Get-GPO -ALL -Domain
$R1Now | where{ $_.DEscription -eq $null } } -Credential $Creds -ArgumentList $ThisDomain


IF ($Error.count -eq 0)
{
}
else
{
$ErrorOrNot="Yes"
}
IF ($ErrorOrNot -eq "Yes")
{
$TestText = "Please check to make sure a Domain Controller is reachable to execute Dynamic Pack."
$SumVal = ""
$TestStatus="Error executing Dynamic Pack."
}
else
{
$Items = $AllGPODes
$ItemCount=$AllGPODes.Count
$FinalText = ""
$SumVal=$ItemCount

ForEach ($ThisItem in $Items)
{
$ThisDesToCheck = $ThisItem.Description
$StatusNow="Ok"
IF ($ThisDesToCheck -eq $Null)
{
$TotNo++
$StatusNow="Not Ok"
}
$FinalVal=$ThisDomain+","+$PDCServerToConnect+","+$ThisItem.DisplayName+","+$ThisItem.Description+","+$StatusNow
Add-Content "$TestCSVFile" $FinalVal            
}

IF ($TotNo -ge 0)
{
$TestText = "Some GPOs do not have a description set. It is recommended to set a description for each GPO to identify function
of GPO easily."
$TestStatus="Medium"
$SumVal = $TotNo
}
IF ($TotNo -eq 0)
{
$TestText = "All GPOs are defined with a description text."
$TestStatus="Passed"
$SumVal = $TotNo
}
}

}
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText
 

### End Script ###

 

Once the script has finished executing for all domains, a report file will be generated in a CSV file as shown in the figure 1 below. The report file name is RVRecordsStatus.CSV and is located at  C:\Temp

 Image

 
Figure 1 – Showing CSV Report generated by the PowerShell Script



As you can see in the report generated by the script, the script reported “WARNING” in the “Final Status” column for domain controllers that have SRV records missing. As shown in the report above, domain controller DC3.ITDynamicPacks.Net, DC4.ITDynamicPacks.Net and DC7.ITDynamicPacks.Net have LDAP SRV records missing in the DNS domain zone. Once you have the SRV report, you can register the SRV records in the DNS Server to ensure Active Directory operates smoothly.

If you are using Active Directory Health Profiler, you can execute the Domain Controller Individual SRV Records Test Dynamic Pack against an Active Directory Forest or a domain to show you the status of SRV records in Active Directory Health Profiler console as shown in the Figure 2 below.

Image


 
Figure 2 – Showing SRV Records Status for each domain controller in AD Health Profiler


Note that there is no use of a Group Policy Object if it doesn’t apply to user or computer objects. In other words, creating huge number of GPOs that do not apply may lead to unnecessary processing by the client side extension configured on the Windows Clients which are responsible for processing the GPO objects.


Summary

We explained the important of SRV records in an Active Directory environment. Domain Controllers rely on SRV records registered in the DNS Server to perform important functions such as replicating changes and allow Active Directory clients to locate domain controller services. Any application that uses SRV records to find a domain controller will fail if SRV records for domain controllers are not registered.
We provided a PowerShell script that you can use to collect a report on SRV records for all domain controllers and the fix the missing ones easily.

See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.