Find and Delete All Empty GPOs
The SDM Software GPO Reporting Pak is full of nifty features and is simple to use. There are many common scenarios that organizations require. The PowerShell components of the product are sometimes overlooked. From discussions with people who are using the product there are common reasons for this.
- New to PowerShell – yet to fully grasp how to best utilize PowerShell for repetitive tasks or automation
- Unaware of the products cmdlets – likely a better job can be done in evangelizing these scenarios
- GUIs are my friend, cmdline stresses me out, what is this PowerShell thing you speak of 🙂
I’d like to address a few of these items. I will add a quick video to walk through this so keep an eye out!
OK, so you are new to PowerShell, welcome to the machine! It is an exciting ride so buckle up. Lots of folks out there are helping the community learn and embrace the PowerShell way of doing things. This scenario is simple and shows off some PowerShell’y concepts you will want to master.
OK, so you have a lot of GPOs. You do not know what is in all of these GPOs and the person or people who created them are long gone! OML (Organizational Memory Loss) is a real thing. You want to begin your effort to gain or regain some control and start cleaning up. One of the first things you may want to do is fine all empty GPOs. Once you find them… well maybe it is time to delete them. If a colleague created an empty GPO as a placeholder or a test for something they may not be super happy. They can recreate if necessary in seconds.
Step 1 – find Empty GPOs
If you would like to open GPMC and select a GPO under the ‘Group Policy Objects’ container and look at the settings report you can do that. And then do it again once for each GPO in your environment. OK, great now do that again every week… UGH… images of hock pokers in my eyes!
Lets find them first with PowerShell. We’ll use this as the beginning of a short script. The cmdlet used for the exporter functionality in GPO Reporting Pak (GPRP) is ‘Export-SDMGPSettings’. With a few parameters you can easily grab all empty GPOs and output that data to Excel, PDF, Word… lots of choices.
The above will run through all of your existing GPOs, find those that are empty, no settings, and dump the data into an excel report. Great, but if we want to reason over the results we must stay in PowerShell and now send our output to Excel. We will want to send our output down the PowerShell pipeline. The Export-SDMGPSettings cmdlet has a parameter called ‘ReportObject’ which does just that.
Step 2 – delete Empty GPOs
This returns the data you are looking for into the pipeline. Now we can actually do something with this. I can’t simply ‘pipe’ this into the ‘Remove-GPO’ cmdlet although that is what I want. The ‘Remove-GPO’ cmdlet expects a different type of object but we can deal with that for sure. I’ll cut to the chase now, but essentially we grab all empty GPOs as PowerShell objects and store them in a variable (collection). Then we use ‘Remove-GPO’ calling the specific property of the object that it knows how to handle. It looks like this.
The second line is not necessary and will not work in the automation. It is there to show that you can analyze the results and format the data to make your life easy. The last line, ‘Remove-GPO $emptyGPOs.gponame’ is the critical one. that property (gponame) on each object returned by the ‘Export-SDMGPSettings’ cmdlet is something the ‘Remove-GPO’ cmdlet can grok. This is one of those PowerShell’y things that will come in handy. You may have an object and only a specific type a data can be passed through the pipeline. It won’t always work but it can be super handy when needed.
OK, so It is a surface example. It should get the main points across. I’ll walk through this in a video soon that will more interactively demonstrate the steps. I hope you find this helpful!