Active Directory Group Policy Health Check Items (Part 6): GPO Naming Convention

by [Published on 4 May 2017 / Last Updated on 4 May 2017]

In Part 5 of this article series, we explained why it is important to provide a description text for each GPO. It is important to provide a descriptive text for each GPO if you have hundreds of GPOs and there are multiple IT Teams handling specific GPOs. The PowerShell script could help you get a list of GPOs, which do not have a description text set and then you can modify the description text for important GPOs.

In this part, we will provide a PowerShell script that you can use to collect GPOs that do not follow standards such as GPO names are longer, GPOs do not have a prefix or suffix, GPOs have not been named correctly, etc.

There are several reasons as to why you need to ensure that the GPO names are shorter and follow a standard naming convention. In a large Active Directory environment where there are hundreds of GPOs, it becomes necessary that you follow a standard naming convention for each GPO so it is easy for IT Teams to identify the GPOs easily. You may not want Sales IT Team to touch finance GPOs and vice-versa. That’s where this article comes handy. In this article, we will provide a PowerShell script that can help you collect GPOs names that are more than 60 characters and GPOs that do not follow a standard naming convention.

While PowerShell script, explained shortly, does not implement any function to identify GPOs with any given prefix or suffix, but if you have implemented any naming convention for GPOs, the script can help you know which GPOs do not follow naming convention.

After collecting the GPO information from each domain, you can modify the GPO names. Note there will be no downtime of GPOS if GPO names are modified. Every object in Active Directory including GPO names is identified by their GUID not names. So items like GPO description and GPO names can be modified without any impact to Active Directory environment.


Requirements


Before you run the script, please ensure to meet the requirements mentioned below:

  • PowerShell script must be executed from a Windows Server 2012 or later Operating Systems.
  • Install Group Policy PowerShell Modules by enabling GPMC feature via Server Manager. Note that PowerShell script uses Get-GPO cmdlet which is part of GPMC feature.
  • PDC Emulator for each domain must be available in order to gather the list of GPOs. Below PowerShell script collects


GPOs from each domain in an Active Directory domain. In order to contact domain, the script connects to PDC Emulator of every domain.


What does the script do?

The script performs the following functions:

  • Retrieves all domains from the current Active Directory forest. You can also specify Active Directory Forest name in $CurForestName variable. Current forest that we use in the script is “TechGenix.com”.
  • Connects to the PDC emulator of each domain in Active Directory.
  • Executes Get-GPO PowerShell cmdlet to collect all GPOs and their names.
  • Script checks to see how many GPOs are larger than 60 characters.
  • Script output is generated in C:\Temp\GPOsNames.CSV file.


Script Contents

### Script Starts Here ###


$TotNo=0
$ItemCount=0
$TestText = ""
$TestStatus=""
$SumVal = ""
$IsNameOk="Yes"
$GDomList = "C:\Temp\DomList.DPC"
Remove-item $GDomList -ErrorAction SilentlyContinue
$TestCSVFile = "C:\Temp\GPOsNames.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$CurForestName = "TechGenix.com"
$R=Get-ADForest $CurForestName
ForEach ($DomName in $R.Domains)
{    
    Add-Content $GDomList $DomName
}
ForEach ($ThisDomain in Get-Content "$GDomList")
{
$PDCServerToConnect = "Unknown"
IF ($HitWin2012DC -eq "Yes" -and $CredInputForPS -eq "File")
{
$PDCCSV = Import-CSV $PrefDCFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.'Preferred Domain Controller'
break
}
} 

}
else
{
$PDCCSV = Import-CSV $PDCListFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)

{
$PDCServerToConnect = $ItemNow.PDCServer
break
}
} 
}
$Error.Clear()
$AllGPODes = Get-GPO -ALL -Domain $ThisDomain -Server $PDCServerToConnect
IF ($Error.count -eq 0)
{
}
else
{
$ErrorOrNot="Yes"
}
IF ($ErrorOrNot -eq "Yes")
{
$TestText = "Please check to make sure a Domain Controller is reachable to execute Dynamic Pack."
$SumVal = ""
$TestStatus="Error executing Dynamic Pack."

}
else
{
$Items = $AllGPODes
$ItemCount=$AllGPODes.Count
$FinalText = ""
$SumVal=$ItemCount
ForEach ($ThisItem in $Items)
{ 
$RNameNow = ($ThisItem.DisplayName | Measure-Object -Character).Characters
$StatusNow="Ok"
IF ($RNameNow -gt 60)
{
$TotNo++
$IsNameOk="No"
$StatusNow="Please ensure GPO name follow production naming convention."
}
$FinalVal=$ThisDomain+","+$PDCServerToConnect+","+$ThisItem.DisplayName+","+$RNameNow+","+$StatusNow
Add-Content "$TestCSVFile" $FinalVal    
 } 
IF ($IsNameOk -eq "No")
{
$TestText = "Some GPOs names are more than 60 characters. It is recommended to have shorter GPO names."
$TestStatus="Medium"
$SumVal = $TotNo
}
IF ($IsNameOk -eq "Yes")
{
$TestText = "All GPOs have shorter names. However, please ensure all GPOs follow a standard naming convention."
$TestStatus="Passed"
$SumVal = $TotNo
}
}
}
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText

 ### Script Ends Here ###


Once the script has finished executing for all domains in an Active Directory forest, a report will be generated in a CSV file as shown in the figure 1 below.

Image
 

Figure 1 – Showing GPOs that do not have the Description Text Set


As you can see in the screenshot above, the script has reported all the GPOs from each domain in the Active Directory forest. The only check that above PowerShell script performs is to check the length of the GPO names. As you can see in the above screenshot, script reported that two GPOs have longer names. The script uses “$CurForestName” variable to connect with the Active Directory Forest, collects the domains and then fetch all the GPOs from each domain. If you are using Active Directory Health Profiler, you can execute the Domain GPO Naming Test Dynamic Pack against an Active Directory Forest or a domain and then show the output of the Dynamic Pack in Active Directory Health Profiler console as shown in the Figure 2 below.

Image
 

Figure 2 – Showing GPO Naming Report in AD Health Profiler Console

 

Summary and Next GPO Health Check Item

In this part, we focused on gathering the list of GPOs that do not follow the production naming convention and GPOs that are longer than 60 characters. You can include above PowerShell script in your Active Directory Health Check procedure. In case of any issues while running the script, please send an email to nirmal_ks@outlook.com

In the final part of this article series, we are going to explain Block Policy Inheritance setting and a PowerShell script to collect organizational units that have Block Policy Inheritance option set.

See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.