Skip to main content

Examining GPO Health

I was recently asked to evaluate an Active Directory environment to determine it's health, specifically relating to GPO's and how they were being used.

I discovered that the number and configuration of the OU's, GPO's, and contents, were a clear indication that the administration of GPO's was not well understood by the committee of people who were managing them, and that there were clearly problems being self-inflicted due to these issues.

The question, however, was how can we quickly assess whether the management of GPO's was in trouble, and also how can we quantify the issue?

The first thing to understand is that there are Recommended Best Practices from Microsoft for how to manage GPO's.  See https://technet.microsoft.com/en-us/library/cc785903(v=ws.10).aspx

But how to quantify these subjective suggestions?



First,  "Minimize the Use of the Block Policy Inheritance Feature".  


You can determine the number of OU's that have Blocked Policy Inheritance with the follow PowerShell command:

Get-ADOrganizationalUnit -Filter * | Get-GPInheritance | Where-Object {$_.GPOInheritanceBlocked}| measure

After having seen a "bad" install, I believe that the number should be less than 5% of the total number of OU's.  Or perhaps a raw number of 10-15 might be allowed.



Second, "Minimize the Use of the Enforce Feature".

How do you determine how many GPO's have Enforce Enabled?  How do I know where these are linked?
One quick way is to list all Links that are Enforced.
Use the following command:
Get-ADOrganizationalUnit -Filter * | Get-GPInheritance | Foreach {$_.GPOLinks } | Where {$_.Enforced} |  select DisplayName,Enabled,Enforced,Target

Another is to list the full set of GPO's linked to a single OU.  Example: for the OU=Servers there
Get-ADOrganizationalUnit "ou=servers,ou=corp,dc=mydomain,dc=com" | Get-GPInheritance |%{ $_.inheritedgpolinks }

This command will list the same information that is displayed in the GPMC GUI under the "Group Policy Inheritance" tab.  Note that the Order property is the order of the source GPO order on the applied OU, not the resulting order in the reported OU.  The property is listed in the precedence order of execution (backwards of course).

To report all OUs, and all links in all OU's, requires a bit more work.
$OUs = Get-ADOrganizationalUnit -Filter * | select DistinguishedName,LinkedGroupPolicyObjects,Name
$OUs += Get-ADDomain
$report = foreach ($ou in $OUs) {
   if ($ou.LinkedGroupPolicyObjects) {
   $inher = Get-GPInheritance -target $ou.DistinguishedName
   $count = 0
     foreach ($link in $inher.inheritedGpoLinks) {
       $count += 1
       "" | select-Object -property @{n="ou";E={$inher.Path}},
    @{N="Order";E={$count}},
       @{n="GPOname";e={$link.Displayname}},
    @{N="Enabled";E={$link.enabled}},
    @{N="Enforced";E={$link.enforced}},
    @{N="Target";E={$link.Target}}
     }
   }
  }

$report |export-csv .\GPO-Links-cwInheritance.csv  -NoTypeInformation


Comments

Popular posts from this blog

"Blinky" TDOA RDF Detector

Our local Amateur Radio club is building a Radio Direction Finding TDOA (Time Difference of Arrival) detector that has LED's to indicate the direction (Left or right) of the fox.  Here are the build instructions.   (Note: this project was originally presented by NZ1J.  See his video:   https://www.youtube.com/watch?v=mNqUKYkifOo&t=68s   ) Here is the completed project: We start with the schematic:   Note that you either install PIN Diode pairs s D3 and D2, or Diodes pair D1 and D4.   The difference between these is the packaging.  If you are ok with Surface mount, then install D1/D4.  If you want discrete components use D3/D2. Next is the PCB.   The PCB can be ordered using the GRBR files available from the author.  The BOM for the electronic parts is as such: Doppler Direction Finder Bill of Materials   11/12/2021        Qty Part Digi-key Part Numbe...

Radio Direction Finding - TDOA

This article describes a few projects that I built from plans for Amateur Radio Fox Hunting. Basically, the hobby/sport is for someone to hide a few low power "Foxes", which are small transmitters that beep or send Morse Code, and then have a bunch of HAM's try to find them. The first project that I built was a Yagi Antenna (Directional receiver) and a 4MHZ Offset Attenuator.  The attenuator is needed when you get close to the fox and you need to reduce the power of the received signal.  I struggled with this setup because, on my first 2 fox hunts, there was too much reflection and multi-path interference.  This causes false direction detection and if you are not mentally prepared for this, you want to throw all of your equipment into a garbage can and take up a different hobby.   There are some truly strange individuals who find this frustration fun and enjoy making other people suffer, but I will leave that discussion for another day.  Anyw...

Internet Explorer 11 (Windows 8.1) "Google Bug". Back Button hangs IE

I discovered this week that there is a bug in Google's web page that causes Internet Explorer 11 to hang when you click the back button. The specific scenario is that when you start on Google's web page, and go to a link of some sort, it can trigger this bug when you click back to return to google.  This is fairly well documented on some forums, in that it has been like this for a while, and Google seems unwilling, or unable, to modify their code to not trigger this bug. I do not consider it a IE11 bug as much as I consider it a problem with Google.  Microsoft should of course fix their issue, but also you would think that Google might take this seriously.  To trigger the issue, Go to google.com and search for something that takes you to a Microsoft page.  Example: "Exchange edge server".  Click on the first link and then click on any link on that Microsoft page.  Then click back twice.  The first "back" will work fine because it takes you to the ...