Active Directory Group Policy Health Check Items (Part 5)

by [Published on 27 April 2017 / Last Updated on 27 April 2017]

In Part 4 of this article series, we explained methods available to backup domain GPOs. We explained two common GPO backup methods that are GPMC and Backup-GPO PowerShell cmdlet. Although the most preferred method is to use GPMC, but in case you need to script GPO backup operation, you can always use Backup-GPO PowerShell cmdlet.

 

If you would like to read the other parts in this article series please go to:


In Part 5 of this article series, we will explain why it is necessary to set description text for GPOs and how you can get a list of GPOs that do not have the GPO description text set.

In a large Active Directory environment, you might have multiple teams working on multiple Active Directory tasks. For example, you might have an IT Team who looks after user creation and modification for finance department. You might a dedicated team whose responsibility is to join computers to the domain for the sales department. You might also have a dedicated team who works on the Group Policy items such as modifying GPO settings for finance and sales team. In a large Active Directory environment where there are hundreds of GPOs, it becomes necessary that you provide a descriptive text for each GPO so it is easy for IT Teams to identify the GPOs easily. You may not want sales IT Team to touch finance GPOs and vice-versa. A wrong modification to a GPO might cause the application of unnecessary GPO settings to the Active Directory computers that do not need them. While it is not mandatory to provide a description text when creating the GPOs, but it will become difficult for you to identify the role of the GPOs if multiple teams work on the GPOs and you have hundreds of GPOs created in the domain. That’s where this article comes handy. In this article, we will provide a PowerShell script that you can use to collect the list of GPOs that do not have the descriptive text set and then take actions accordingly.


Requirements

Before you run the script, please ensure to meet the requirements mentioned below:

  • Make sure to execute PowerShell script explained below from a computer running Windows Server 2012 or later Operating Systems.
  • Since the PowerShell script uses Get-GPO PowerShell cmdlet, please ensure to install Group Policy PowerShell Modules via Server Manager. All you need to do is enable GPMC feature, which, in turn, will install required Group Policy PowerShell modules.
  • PDC Emulator for each domain must be available in order to gather the list of GPOs. Below PowerShell script collects GPOs from each domain in an Active Directory domain. In order to contact domain, the script connects to PDC Emulator of every domain.


What does the script do?

The script performs the following functions:

  • Retrieves all domains from the current Active Directory forest.
  • Connects to the PDC emulator of each domain.
  • Executes Get-GPO PowerShell cmdlet to collect GPOs and their description text.
  • Script checks to see how many GPOs do not have a description text set.
  • Script output is generated in C:\Temp\GPOsDescriptionText.CSV file.

 

Script Contents

### Script Starts Here ###

$TotNo=0
$ItemCount=0
$TestText = ""
$TestStatus=""
$SumVal = ""
$GDomList = "C:\Temp\DomList.DPC"
Remove-item $GDomList -ErrorAction SilentlyContinue
$TestCSVFile = "C:\Temp\GPOsDescriptionText.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue

$CurForestName = "TechGenix.com"
$R=Get-ADForest $CurForestName
ForEach ($DomName in $R.Domains)
{    
    Add-Content $GDomList $DomName
}
ForEach ($ThisDomain in Get-Content "$GDomList")
{

$PDCServerToConnect = "Unknown"
IF ($HitWin2012DC -eq "Yes" -and $CredInputForPS -eq "File")
{
$PDCCSV = Import-CSV $PrefDCFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.'Preferred Domain Controller'
break
}
} 
}
else
{
$PDCCSV = Import-CSV $PDCListFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.PDCServer
break
}
}
 }
$Error.Clear() 
$AllGPODes=Get-GPO -ALL -Domain $ThisDomain -Server $PDCServerToConnect | where{ $_.DEscription -eq $null }
IF ($Error.count -eq 0)
{
}
else
{
$ErrorOrNot="Yes"
}
IF ($ErrorOrNot -eq "Yes")
{
$TestText = "Please check to make sure a Domain Controller is reachable to execute Dynamic Pack."
$SumVal = ""
$TestStatus="Error executing Dynamic Pack."
}
else
{
$Items = $AllGPODes
$ItemCount=$AllGPODes.Count
$FinalText = ""
$SumVal=$ItemCount
ForEach ($ThisItem in $Items)
{ 
$ThisDesToCheck = $ThisItem.Description
$StatusNow="Ok"
IF ($ThisDesToCheck -eq $Null)
{
$TotNo++
$StatusNow="Not Ok"
}
$FinalVal=$ThisDomain+","+$PDCServerToConnect+","+$ThisItem.DisplayName+","+$ThisItem.Description+","+$StatusNow
Add-Content "$TestCSVFile" $FinalVal     
      
}
IF ($TotNo -ge 0)
{

$TestText = "Some GPOs do not have a description text set. It is recommended to set a description for each GPO to
identify function of GPO easily."

$TestStatus="Medium"
$SumVal = $TotNo
}
IF ($TotNo -eq 0)
{
$TestText = "All GPOs are defined with a description text."
$TestStatus="Passed"
$SumVal = $TotNo
}
}
}
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText 

 ### Script Ends Here ###


Once the script has finished executing for all domains in an Active Directory forest, a report will be generated in a CSV file as shown in the figure 1 below.

 

Image
 

Figure 1 – Showing GPOs that do not have the Description Text Set


As you can see in the screenshot above, the script reported both GPOs that have been set with a description text and GPOs that do not have a description text set. The script checks each GPOs and its Description property in order to know whether the GPO description field is empty or not. The script uses “$CurForestName” variable to connect with the Active Directory Forest, collects the domains and then all the GPOs from each domain. The script is quite useful when you have hundreds of GPOs configured in your Active Directory domains and you don’t know what all GPOs do not have a description text set. If you are using Active Directory Health Profiler, you can execute the Domain GPO Description Test Dynamic Pack against an Active Directory Forest or a domain and then show the output of the Dynamic Pack in ActiveDirectory Health Profiler console as shown in the Figure 2 below.

Image
 

Figure 2 – Showing GPO Report in AD Health Profiler Console


Summary and Next GPO Health Check Item

In this part, we focused on gathering the list of GPOs that do not have a description text set. You can include above PowerShell script in your Active Directory Health Check procedure. In case of any issues while running the script, please send an email to nirmal_ks@outlook.com.

In the upcoming part of this article series, we are going to discuss why it is necessary to follow a standard naming convention for GPOs and how you can use a PowerShell script to gather the list of GPOs that do not follow a standard naming convention.

See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.