Active Directory Group Policy Health Check Items (Part 3)

by [Published on 30 March 2017 / Last Updated on 30 March 2017]

In the Part 2 of this article series, we provided a PowerShell script that you can use to get a list of GPOs that are not applying to any objects in the Active Directory domain.

If you would like to read the first part in this article series please go to:

In the Part 1, we provided a list of Group Policy health check items that you should always consider including in your Active Directory Health check procedure. We explained two out of eight Group Policy health check items that you should always consider including in your Active Directory health check procedure. In Part 1, we also provided a PowerShell script that can help you get a list of GPOs that have WMI filters configured and then identify the GPOs that have incorrect WMI filters configured. 

In Part 3, we will focus on gathering a list of GPOs that are disabled in the Active Directory domains. Although Client Side Extensions, sometimes referred to as CSC, on Active Directory clients do not process disabled GPOs, but it makes no sense to keep large number of disabled GPOs in a production Active Directory environment. We are going to provide a PowerShell script that you can use to retrieve the list of Group Policy Objects that have been configured in the domains, but are set to disabled state.


Requirements

Before you run the script, please ensure to meet the requirements mentioned below:

  • Make sure to execute below PowerShell script from a computer running Windows Server 2012 or later Operating Systems. 
  • Since PowerShell script uses Get-GPO PowerShell cmdlet, please ensure to install Group Policy PowerShell Modules via Server Manager. All you need to do is enable GPMC feature, which, in turn, will install required Group Policy PowerShell modules.
  • PDC Emulator for each domain must be available in order to gather the list of GPOs and then check GPO status.


What does the script do?

The script performs the following functions:

  • Retrieves all domains from the current Active Directory forest.
  • Connects to the PDC emulator of each domain.
  • Executes Get-GPO PowerShell cmdlet to collect GPOs and their settings.
  • Checks to see how many GPOs are not applying.
  • Script output is generated in C:\Temp\DisabledGPOs.CSV file.


Script Contents

### Script Starts Here ###


$TotNo=0
$ItemCount=0
$TestText = ""
$TestStatus=""
$SumVal = ""
$GDomList = "C:\Temp\DomList.DPC"
Remove-item $GDomList -ErrorAction SilentlyContinue
$TestCSVFile = "C:\Temp\DisabledGPOs.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$CurForestName = "TechGenix.com"
$R=Get-ADForest $CurForestName
ForEach ($DomName in $R.Domains)
{ 
Add-Content $GDomList $DomName
}
ForEach ($ThisDomain in Get-Content "$GDomList")
{
$PDCServerToConnect = "Unknown"
IF ($HitWin2012DC -eq "Yes" -and $CredInputForPS -eq "File")
{
$PDCCSV = Import-CSV $PrefDCFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.'Preferred Domain Controller'
break
}
}
}
else
{
$PDCCSV = Import-CSV $PDCListFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.PDCServer
break
}
} 
}
$Error.Clear() 
$AllGPODisabled=Get-GPO -All -Domain $ThisDomain -Server $PDCServerToConnect | where{ $_.GpoStatus -eq 
"AllSettingsDisabled" }
IF ($Error.count -eq 0)
{
}
else
{
$ErrorOrNot="Yes"
}
IF ($ErrorOrNot -eq "Yes")
{
$TestText = "Please check to make sure a Domain Controller is reachable to execute Dynamic Pack."
$SumVal = ""
$TestStatus="Error executing Dynamic Pack."
}
else
{
$Items = $AllGPODisabled
$ItemCount=$AllGPODisabled.Count
$FinalText = ""
$SumVal=$ItemCount
ForEach ($ThisItem in $Items)
{ 
$TotNo++
}
ForEach ($ThisItem in $Items)
{ 
$FinalVal=$ThisItem.DisplayName+","+$ThisItem.ModificationTime+","+$ThisDomain+", Not Ok - Please check why this

 

GPO is disabled."
Add-Content "$TestCSVFile" $FinalVal 
}
IF ($TotNo -ge 0)
{
$TestText = "Some GPOs are completely disabled in the AD domain. Please check why these GPOs have been disabled.
GPOs that are created for testing purposes are kept disabled. If these GPOs fall under testing category please ignore."
$TestStatus="High"
$SumVal = $TotNo
}
IF ($TotNo -eq 0)
{
$TestText = "No Disabled GPOs found in AD Domains."
$TestStatus="Passed"
$SumVal = $TotNo
}
}
}
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText


### Script Ends Here ###


Once the script has finished executing for all domains in an Active Directory forest, a report will be generated in a CSV file as shown in the figure 1 below.

Image


Figure 1 – Showing GPO CSV Report generated by the PowerShell Script

As you can see in the screenshot above, the script reported only the GPOs that have been disabled in each domain in an Active Directory Forest specified in the “$CurForestName” variable. The script has found eight GPOs in both TechGenix.com and WindowsNetworking.TechGenix.com domains. The script is quite useful when you have hundreds of GPOs configured in your Active Directory domains and you don’t know what all GPOs are disabled. If you are using Active Directory Health Profiler, you can execute the Domain GPO Disabled Test Dynamic Pack against an Active Directory Forest or a domain and then show the output of the Dynamic Pack in Active Directory Health Profiler console as shown in the Figure 2 below. 

Image



Figure 2 – Showing GPO Report in AD Health Profiler Console


Summary and Next GPO Health Check Item

In this part, we focused on gathering the list of GPOs that have been disabled in each Active Directory domain. You can include above PowerShell script in your Active Directory Health Check procedure. In case of any issues while running the script, please send an email to nirmal_ks@outlook.com.

In the upcoming part, we are going to discuss our next GPO health check item that is checking GPO backup status and what all methods are available to backup GPOs.

See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.