Skip to main content

Examining GPO Health

I was recently asked to evaluate an Active Directory environment to determine it's health, specifically relating to GPO's and how they were being used.

I discovered that the number and configuration of the OU's, GPO's, and contents, were a clear indication that the administration of GPO's was not well understood by the committee of people who were managing them, and that there were clearly problems being self-inflicted due to these issues.

The question, however, was how can we quickly assess whether the management of GPO's was in trouble, and also how can we quantify the issue?

The first thing to understand is that there are Recommended Best Practices from Microsoft for how to manage GPO's.  See https://technet.microsoft.com/en-us/library/cc785903(v=ws.10).aspx

But how to quantify these subjective suggestions?



First,  "Minimize the Use of the Block Policy Inheritance Feature".  


You can determine the number of OU's that have Blocked Policy Inheritance with the follow PowerShell command:

Get-ADOrganizationalUnit -Filter * | Get-GPInheritance | Where-Object {$_.GPOInheritanceBlocked}| measure

After having seen a "bad" install, I believe that the number should be less than 5% of the total number of OU's.  Or perhaps a raw number of 10-15 might be allowed.



Second, "Minimize the Use of the Enforce Feature".

How do you determine how many GPO's have Enforce Enabled?  How do I know where these are linked?
One quick way is to list all Links that are Enforced.
Use the following command:
Get-ADOrganizationalUnit -Filter * | Get-GPInheritance | Foreach {$_.GPOLinks } | Where {$_.Enforced} |  select DisplayName,Enabled,Enforced,Target

Another is to list the full set of GPO's linked to a single OU.  Example: for the OU=Servers there
Get-ADOrganizationalUnit "ou=servers,ou=corp,dc=mydomain,dc=com" | Get-GPInheritance |%{ $_.inheritedgpolinks }

This command will list the same information that is displayed in the GPMC GUI under the "Group Policy Inheritance" tab.  Note that the Order property is the order of the source GPO order on the applied OU, not the resulting order in the reported OU.  The property is listed in the precedence order of execution (backwards of course).

To report all OUs, and all links in all OU's, requires a bit more work.
$OUs = Get-ADOrganizationalUnit -Filter * | select DistinguishedName,LinkedGroupPolicyObjects,Name
$OUs += Get-ADDomain
$report = foreach ($ou in $OUs) {
   if ($ou.LinkedGroupPolicyObjects) {
   $inher = Get-GPInheritance -target $ou.DistinguishedName
   $count = 0
     foreach ($link in $inher.inheritedGpoLinks) {
       $count += 1
       "" | select-Object -property @{n="ou";E={$inher.Path}},
    @{N="Order";E={$count}},
       @{n="GPOname";e={$link.Displayname}},
    @{N="Enabled";E={$link.enabled}},
    @{N="Enforced";E={$link.enforced}},
    @{N="Target";E={$link.Target}}
     }
   }
  }

$report |export-csv .\GPO-Links-cwInheritance.csv  -NoTypeInformation


Comments

Popular posts from this blog

"Blinky" TDOA RDF Detector

Our local Amateur Radio club is building a Radio Direction Finding TDOA (Time Difference of Arrival) detector that has LED's to indicate the direction (Left or right) of the fox.  Here are the build instructions.   (Note: this project was originally presented by NZ1J.  See his video:   https://www.youtube.com/watch?v=mNqUKYkifOo&t=68s   ) Here is the completed project: We start with the schematic:   Note that you either install PIN Diode pairs s D3 and D2, or Diodes pair D1 and D4.   The difference between these is the packaging.  If you are ok with Surface mount, then install D1/D4.  If you want discrete components use D3/D2. Next is the PCB.   The PCB can be ordered using the GRBR files available from the author.  The BOM for the electronic parts is as such: Doppler Direction Finder Bill of Materials   11/12/2021        Qty Part Digi-key Part Numbe...

Radio Direction Finding - TDOA

This article describes a few projects that I built from plans for Amateur Radio Fox Hunting. Basically, the hobby/sport is for someone to hide a few low power "Foxes", which are small transmitters that beep or send Morse Code, and then have a bunch of HAM's try to find them. The first project that I built was a Yagi Antenna (Directional receiver) and a 4MHZ Offset Attenuator.  The attenuator is needed when you get close to the fox and you need to reduce the power of the received signal.  I struggled with this setup because, on my first 2 fox hunts, there was too much reflection and multi-path interference.  This causes false direction detection and if you are not mentally prepared for this, you want to throw all of your equipment into a garbage can and take up a different hobby.   There are some truly strange individuals who find this frustration fun and enjoy making other people suffer, but I will leave that discussion for another day.  Anyw...

Powershell Tricks and Notes

How to expand parameterizedProperty Note if you issue the following command: Get-ADComputer -Filter * |Get-Member You will get the following result:   TypeName: Microsoft.ActiveDirectory.Management.ADComputer Name              MemberType            Definition ----              ----------            ---------- Contains          Method                bool Contains(string propertyName) Equals            Method                bool Equals(System.Object obj) GetEnumerator     Method...