Group Policy Cleanup and optimization is top-of-mind for many of our customers. One of the key tools for helping customers achieve optimized GPO environments, SDM Software’s GPO Exporter product, just got an update recently. One of the small improvements we added was support for outputting our powerful Group Policy Analysis reports to PowerShell objects. Exporter comes with a set of 15 canned reports that provide everything from information on conflicting or duplicate settings to reports about GPO design decisions that you can make that can cause slowdowns in Windows restart and logon cycles. The following reports are available in GPO Exporter today:
Conflicting Settings
Duplicate Settings
Unlinked GPOs
Empty GPOs
GPOs with Enforced Links
GPOs by Status
GPOs with Multiple Links
GPOs with Scripts
GPOs with WMI Filters
GPOs by Policy Area
GPOs with Synchronous Extensions Only
GPOs with Synchronous and Asynchronous Extensions
GPOs with Synchronous Policy Setting
GPOs with Expensive ILTs
GPOs with Loopback Merge Mode
Until the latest version of GPO Exporter, all of these reports could be run from both the GUI and from the PowerShell cmdlet–Export-SDMGPSettings. But the output format for both was either PDF, Word or Excel. Now with the latest release, we added a new parameter to the PowerShell cmdlet, that allows you to export the contents of one of these reports to a PowerShell object collection. This opens up lots of new and interesting scenarios for using the data from these reports to drive actual changes into your Group Policy environment using the power of PowerShell.
Flagging Empty GPOs
A simple example that I came up with is leveraging the “Empty GPOs” report from Exporter to mark and/or delete GPOs that are no longer needed in the environment. In the first scenario, I run the Empty GPOs report from Exporter’s PowerShell cmdlet and pipe the output of the report, which is a collection of custom objects that indicate the GPOs that are found to be empty–to the Microsoft Group Policy module-provided Get-GPO cmdlet. This cmdlet allows me to set a Comment on the GPO (represented by the Description property) which I use to flag each empty GPO for future removal, as shown here:
Export-SDMGPSettings -ReportName "Empty GPOs" -ReportObject | % {(Get-GPO -Name $_.GPOName).Description = "Empty GPO--Delete"}
This command called the “Empty GPOs” report using the -ReportName parameter on the Exporter Export-SDMGPSettings cmdlet. It then uses the -ReportObject switch parameter to output the report’s contents to a collection of PowerShell custom objects. We then pipe this object collection to the Microsoft Group Policy Module’s Get-GPO cmdlet, passing the GPOName property of the pipeline object to the cmdlet to get a reference to the empty GPO. Finally, we call the Description property on the GPO we just got a reference to, and set the GPO’s comment equal to “Empty GPO–Delete”. An administrator could then go through and easily investigate and/or delete all GPOs that were flagged with this comment at a later date.
Removing Empty GPOs
However, if we wanted to take this process to the next step, here’s where it gets fun! We could make a slight modification to the previous command, as follows:
Export-SDMGPSettings -ReportName "Empty GPOs" -ReportObject | % {(Get-GPO -Name $_.GPOName).Delete()}
And now instead of just modifying the comment on the GPO, we are actually deleting the empty GPO, calling the Delete method on the Get-GPO object! So with one command, we’ve just cleaned up all empty GPOs in our domain. Of course, your change management procedures might frown on this approach, but nonetheless, it is powerful and useful to be able to do this kind of Group Policy cleanup! The same would work for the “Unlinked GPOs” report within Exporter. You can also imagine other scenarios using the reports in Exporter and PowerShell to do lots of cool stuff. For example, the GPOs by Status report can show any GPOs that are flagged as disabled, and you could very easily delete those if they are really not being used.
More Advanced Group Policy Cleanup Scenarios
The possibilities get really interesting when you combine our conflicting and duplicate settings reports with the power of our Group Policy Automation Engine (GPAE) product. With GPAE–which allows you to read and write settings within GPOs using PowerShell– you could potentially take conflicting or duplicate settings and potentially remove those duplicates or conflicting settings from target GPOs in one fell swoop. More on this in a future article!
Darren