In a previous post, I mentioned that the Group Policy Health Cmdlet was now a free download at www.sdmsoftware.com/freeware. The Health Cmdlet is a PowerShell utility for collecting Group Policy processing health against one or more remote systems. The cmdlet returns a "health object" that contains a number of properties related to the target systems’ Group Policy processing, as shown here:
What you notice is that some properties are pretty straightforward, like the domain name, hostname, loopback status, etc. However, some properties are more complicated. For example, the ComputerGPOsProcessed property is actually a collection of objects that define the GPOs processed by the computer. Those GPO objects each have their own set of properties. So, how can you quickly get to one of these property collections if you just want to know that information. Well, PowerShell provides the select-object cmdlet (aka "select") that you can use to select a property and expand it out in one step for example, if I wanted to see a list of GPOs processed by the computer on my target system called sdm2, I can simply type:
Get-SDMGPHealth -ComputerName sdm2 | select -expand ComputerGPOsProcessed |fl
which will just list out the GPOs processed by the computer, like this:
DisplayName : Local Group Policy
GPLink : Local
Version : GPT Version: 0000, GPC Version: 0000
DisplayName : Default Domain Policy
GPLink : DC=cpandl,DC=com
Version : GPT Version: 003A, GPC Version: 003A
DisplayName : Desktop Policy Manager: Marketing User Lockdown – {C0D4FBAE-3952-
4A3E-89BF-90AC4AFC3FFF}
GPLink : DC=cpandl,DC=com
Version : GPT Version: FFFF, GPC Version: 0000
DisplayName : Desktop Policy Manager: Sales Users Lockdown – {C30783C6-A0D9-4B9
C-B2A3-A21FA0BADC5E}
GPLink : DC=cpandl,DC=com
Version : GPT Version: FFFF, GPC Version: 0000
DisplayName : Desktop Policy Manager: Engineering Department Lockdown – {1D9875
10-9ADB-4102-BFAC-B3027518D0F6}
GPLink : DC=cpandl,DC=com
Version : GPT Version: FFFF, GPC Version: 0000
DisplayName : Restricted Groups AD test
GPLink : OU=Domain Controllers,DC=cpandl,DC=com
Version : GPT Version: FFFF, GPC Version: 0005
DisplayName : Default Domain Controllers Policy
GPLink : OU=Domain Controllers,DC=cpandl,DC=com
Version : GPT Version: 004E, GPC Version: 004E
The other main property collections on the Health object are the ComputerCSEsProcessed and UserCSEsProcessed. These objects are a bit more complicated because they actually contain a collection of collections. Namely, these properties list each Client Side Extension that ran for the computer or user, and then within each of those, it lists the GPOs that were called by that CSE. Each of those GPO objects contains properties that include the GPO name, the last time the CSE ran for that GPO and where the GPO was linked.
So, let’s say we want to find out all the GPOs that processed security policy for the computer. That can be done in a single PowerShell command by using the following syntax:
Get-SDMGPHealth -ComputerName sdm2 | select -expand ComputerCSEsProcessed |
where {$_.ExtensionName -contains "Security"} | select -expand GPObyCSE |fl
When I issue this command, I get the following output:
DisplayName : Default Domain Policy
GPLink : LDAP://DC=cpandl,DC=com
LastProcessingTime : 1/9/2009 2:31:00 PM
CseStatus : The operation completed successfully
DisplayName : Default Domain Controllers Policy
GPLink : LDAP://OU=Domain Controllers,DC=cpandl,DC=com
LastProcessingTime : 1/9/2009 2:31:00 PM
CseStatus : The operation completed successfully
Which tells me that the Security CSE ran two GPOs and that they both ran successfully at the times given above. If they had not run successfully, the actual error message returned by the CSE would be shown here.
Hope this helps folks get more value out of the cmdlet (and thanks to PowerShell MVP Brandon Shell for helping me work through the syntax!)
Darren
Tags
PowerShell, Group Policy, Group Policy Health, SDM Software
I notice in your example that the “OverallStatus” property is Red. What constitutes a “red” status? What does it mean to have a “red” status?
Thanks
Ed
Ed-
A red status gets registered when a failure is detected in either core processing (the part of the GP Processing cycle where the computer or user evaluates what GPOs need to be processed) or in CSE processing (where each policy area runs in turn to apply the settings).
Darren
Thanks for the reply. So in the example since the user and computer core status show a “The operation completed successfully” status, I would guess that there was a failure detected with either the user or computer CSE processing. Would that be a correct assumption? If so, what would you suggest the command line look like to locate the failure?
Thanks,
Ed
That’s correct Ed. You can iterate into the ComputerCSEsProcessed or UserCSEsProcessed properties like this:
$health = Get-SDMGPHealth -ComputerName win7-x86-1foreach ($cse in $health.ComputerCSEsProcessed) {$cse.GPObyCSE}
Darren
The PowerShell version of Group Policy Health Reporter is not reporting the time correctly. If I run the PowerShell tool it reports ComputerElapsedTime as 00:07:19. For the same computer with the GUI it reports 10 seconds and 86 msec. If I run GpTime it reports 10 seconds and 86 msec. I actually watched the computer and it tool around 10 seconds. So the PowerShell tools is not reporting correctly when ran for an OU or a single computer. I love the tool and could really use the PowerShell version to report an OU. Please let me know if you need me to test something for you and when the tool is fixed.